I would start off by running it through a pre-processor that would combine these into one line.
have a process that looks for lines starting with whitespace and append them to the prior line (with some sort of separator record between them) David Lang On Tue, 25 Jan 2011, Tim Peiffer wrote: > Date: Tue, 25 Jan 2011 19:55:51 -0600 > From: Tim Peiffer <[email protected]> > To: [email protected] > Subject: [Simple-evcorr-users] SEC input is Radius Detail > > I am interested in following Radius Detail records as a log input > source. They are vertically aligned with attributes as 'tag = value' > pairs. Are there any best practices for parsing such types of input > with SEC? I tried using RegexpN, but found a number of the records were > variable - some had other attributes that were being tracked, causing > the number of lines to be somewhat inconsistent. In short, the parsing > looked pretty gross. What words of wisdom can anyone impart for this > kind of 'log' data? > > Please advise, > Tim Peiffer > > Mon Jan 24 23:33:38 2011 > User-Name = "JoeUser" > NAS-Port = 70496256 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.10.3.125 > Called-Station-Id = "10.21.217.82" > Calling-Station-Id = "172.16.29.46" > Acct-Status-Type = Start > Acct-Delay-Time = 2 > Acct-Session-Id = "B1A039A3" > Acct-Authentic = RADIUS > NAS-Port-Type = Virtual > Tunnel-Client-Endpoint = 172.16.29.46 > NAS-IP-Address = 192.168.249.28 > Timestamp = 1295933616 > > Tue Jan 25 01:15:57 2011 > User-Name = "JoeUser" > NAS-Port = 70496256 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.10.3.125 > Called-Station-Id = "10.21.217.82" > Calling-Station-Id = "172.16.29.46" > Acct-Status-Type = Stop > Acct-Delay-Time = 2 > Acct-Input-Octets = 13855207 > Acct-Output-Octets = 56621822 > Acct-Session-Id = "B1A039A3" > Acct-Authentic = RADIUS > Acct-Session-Time = 6139 > Acct-Input-Packets = 66890 > Acct-Output-Packets = 84696 > Acct-Terminate-Cause = User-Request > NAS-Port-Type = Virtual > Tunnel-Client-Endpoint = 172.16.29.46 > NAS-IP-Address = 192.168.249.28 > Timestamp = 1295939755 > > ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
