In message <[email protected]>,
Don Faulkner writes:
>I asked this another way the other day, but maybe this puts it a
>better way.
>
>Is there a way to extract data from a context as part of an action?
>
>I have rules that parse an syslog-incapable LDAP log that consists of
>multi-line records. I'm trying to write a syslog event for successful
>and failed logins.
>
>The record is identified by a conn=####### in each line (matching #'s
>are the same connection and thus the same record). I need to extract
>IP address, user id, and success/failure result, each of which is on a
>separate line.
So you have to parse three lines (at least) of data to get the info
you need?
>I started off by creating a context called LDAP_CONN_##### (with ####
>taken from the conn=##### information), so one context per active
>connection.
>Next, as IP and UID are detected, I add those to the context like this:
> action=add LDAP_CONN_$1 IP=$2
>...
> action=add LDAP_CONN_$2 UID=$2
Yup that is the way I would do it.
>When I detect the result, I note it as success or failure and I can
>log that:
> action=logonly
>but it just logs "LDAP success (conn=####)" without any info from the
>context.
>
>My question is, how can I pull the data out of the context and
>construct a line with all of it? In other words, I'd like to write
>something like:
> action=logonly "authentication failed for LDAP_CONN_$1['UID'] from
>LDAP_CONN_$1['IP'] (conn=$1)"
Contexts are just text blobs without structure. However, you could
load the LDAP_CONN_$1 context with contents like:
(
'UID' => "uid",
'IP' => "127.0.0.1",
);
(i.e. a perl aggregate definition) and then in the action
assign the context to a variable and eval that variable into a perl
expression. Then you could address the values as an associative array
within the perl miniprogram.
This doesn't handle the issue that logonly doesn't accept arguments,
but you could call the main'log_msg function within the perl
miniprogram. This isn't exactly clean since log_msg isn't a defined
interface but...
>or, alternatively, put that in the desc= line, and use a simple
>action=logonly
I don't think desc can be changed except by substitution of special
variables. Because you have three lines you need to parse you can't
use a pair rule and have a description:
type=pair
pattern=extract connection to $1 and uid to $2
desc2 = authentication failed for %2 from $1 (conn=%1)
pattern2 = extract ip address
where %2 would be the value of $2 from the first of the two pair rules
and similarly for %1.
>Am I even going about this the right way?
I am not sure there is a "right way" yet, just TIMTOWTDI. AKA you are
in a maze of twisty little passages, all alike.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
