2015-03-12 12:50 GMT+01:00 Rainer Gerhards <rgerha...@hq.adiscon.com>:
> 2015-02-04 13:52 GMT+01:00 David Lang <da...@lang.hm>:
>
>> On Wed, 4 Feb 2015, singh.janmejay wrote:
>>
>> On Wed, Feb 4, 2015 at 7:17 AM, David Lang <da...@lang.hm> wrote:
>>>
>>> as I'm spending a bunch of time making templates from cisco logs, a few
>>>> thoughts on mmnormalize
>>>>
>>>> 1. It should probably set parsesuccess like mmjsonparse does
>>>>
>>>>
>>> This will be very useful.
>>>
>>>
>>>
>>>> 2. it would be useful to have something like char-to that accepted
>>>> multiple characters as the termination pattern. thanks to the addition
>>>> of
>>>> toeknize I was able to work around this ('flags FIN ACK on interface'
>>>> where the number of flags listed is variable)
>>>>
>>>>
>>> I felt the need for this too. I believe the recent string-to thing does
>>> this?
>>>
>>
>> I missed that. One thing that is wrong with liblognorm and mmnormalize is
>> that the docs that are pointed to are horribly out of date and don't
>> mention a lot of these capabilities. I cloned the source from github and
>> was looking through it to find things, but apparently missed this one.
>>
>>
> Mhh... I updated the web site to autoupdate from the repo doc. I just
> checked and it looks fine. Do you really get the old doc? (the new one says
> 1.1.1 for example).
>
>
sorry -- I didn't realize the early mails were from Feb... Just discard my
message ;)
Rainer
> Rainer
>
>>
>>>
>>>> 3. the number type should accept negative numbers, not just digits
>>>>
>>>>
>>>> 4. it would be fantastic to be able to define custom types in the config
>>>>
>>>> example
>>>>
>>>> inside:1.2.3.4/56 is a pattern that happens a lot and I use
>>>> %srciface:char-to:\x3a%\x3a%srcip:ipv4%/%srcport:number% and
>>>> %dstiface:char-to:\x3a%\x3a%dstip:ipv4%/%dstport:number% to match this
>>>> pattern
>>>>
>>>> , being able to define
>>>>
>>>> custom=info:%iface:char-to:\x3a%\x3a%ip:ipv4%/%port:number%
>>>>
>>>> and then use "%src:info% to %dst:info% instead of that full pattern and
>>>> have the resulting json be
>>>> { src : { iface : inside, ip : 1.2.3.4, port : 56 }, { dst...
>>>>
>>>>
>>>>
>>> Field type 'descent' does this, but not exactly in the same way.
>>>
>>
>> does it? I understood it to just be calling another ruleset on the whole
>> line (doc problem again)
>>
>> David Lang
>>
>>
>>
>>>
>>>> 5. Going back to the 'or' question. It would be even better to be able
>>>> to
>>>> define this custom type as a set of patterns.
>>>>
>>>> while inside:1.2.3.4/56 is a common endpoint definition there are also
>>>> 1.2.3.4/56 inside:1.2.3.4/56(string) inside/1.2.3.4 and 1.2.3.4
>>>>
>>>> if you could define the custom type to be a list of patterns this would
>>>> let you take advantage of the two-dimentional nature of JSON and
>>>> simplify
>>>> the ruleset considerably.
>>>>
>>>> It would also give you a good way to handle the 'or' for Apache logs for
>>>> example defining one of the options as a constant '-'
>>>>
>>>> defining an 'or' instead each pattern is a horrible mess to try and
>>>> understand, but if it's done by implementing a new type, I don't have a
>>>> problem with it.
>>>>
>>>> David Lang
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
