Hello All, I'm basically unwilling to believe that it is as complicated as I am seeing to simply deal with a standard syslog in name=value format. I have sphinx working and I can get the fields "host", "program", and "class" to be picked up but everything gets ignored. Do I really need to build a static pattern for the patterndb.xml which covers the line below? This seems archaic, and as we develop the product we are going to continually add more fields to our syslog.
Please tell me there's a better way! Example line of syslog, I would like to be able to search on any field (e.g. dzone, x-dip, etc...): [Chassis(vArmour):Device(1):VA_APP_RTLOG] start=14:04:21:19:38:42 end=14:04:21:19:38:46 epid=vArmour:1 vsysid=1 szone=lab sintf=ge-1/0/9.0 sip=10.150.131.28 sport=39035 x-sip=50.0.126.162 x-sport=17327 dzone=internet dintf=ge-1/0/1.0 dip=8.8.8.8 dport=53 x-dip=8.8.8.8 x-dport=53 proto=17 policy=lab-internet(6) c2s-pkts=1 s2c-pkts=1 sess-close-reason=dns_replay app=dns method=- host=- url=- cookie=- status=- service=Any address=- appctl=- -- You received this message because you are subscribed to the Google Groups "sphinx-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/sphinx-users. For more options, visit https://groups.google.com/d/optout.
