[syslog-ng] syslog-ng anon patch
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jun 2 11:21:26 CEST 2005
On Tue, 31 May 2005 11:28:29 PDT, Elijah said:
> Valdis.Kletnieks at vt.edu said:
> > Interesting. Does it apply the regexp to *the entire message* (a quick
> > read of the code indicates so)?
> yes. perhaps it should not?
That's fine, as long as that's the documented and understood behavior.
It occurred to me that probably some explicit decision should be
made and documented regarding $HOST/$MACHINE - it's reasonable to *not*
filter those, because if you're running a central syslog server, you probably
want to *keep* the information that the message came from your NNTP server,
but *redact* the end user's IP address in the NNTP server's logs. However,
this may come as a surprise if a site has end-user IP addresses syslog()ing
to the central server (no, I don't know why you'd do that, but it could happen ;)
> > Also, I see in make_filter_replace:
> >
> > if (strcasecmp(re,"ips") == 0) {
> > re = "...([\\.\\-](25
> >
> > Was the \\- intended?
>
> Many ISPs set the reverse dns to include the ip address in the form
> 69-90-134-155-myisp.com, so I thought it would be useful to remove those
> as well.
OK.. I can see why you'd want to do that. However, I'm not convinced that it's
a good idea to try to clean up the text strings of PTR entries, as that's just
providing a false sense of security. Consider these hosts:
% host 195.197.6.1
% host 195.197.6.73
% host 195.197.6.74
You'll almost certainly end up with this in the logs. ;)
> > Any plans to expand that RE to cover IPv6 addresses? ;)
>
> Yes. Alas, IPv6 is complicated. I had a pcre which worked, but had some
> difficulty converting it to regexp. Eventually, I plan to do so. Any
> suggestions for what the regexp should be?
No.. not at this time of the morning, sorry.. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050602/db8affa2/attachment.pgp
More information about the syslog-ng
mailing list