On 6/9/2010 9:35 AM, Lyle Giese wrote: >> On 2.0 the pf logs are split into two lines. You need the line after >> this to see the remainder of the log info. >> >> > That bytes! How does a simple syslog parser handle that to match the > two lines together? How can you guarentee that the next line is the > matching line and not from some other process sending stuff to syslog?
I don't like it either, but it's due to the way tcpdump parses things now when printing verbose information. I had to change the parser a lot to handle these lines locally. Remotely would be worse, but you could match on "<host> pf:" It's even trickier because not every line is split in two. You can look at the log parsing code in 2.0 for some insight into what was needed to overcome this. Jim --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org