Hello, On 09/24/2010 03:34 PM, Martin Holste wrote:
My votes:
- many times there is just a question mark instead of the username. Should it still be stored in a variable (useracct.username) or only for the Logout lines, where it actually might get a useful value?
I would vote not to store the question mark since I think the ? is equivalent to NULL, which is what would get logically stored anyway.
- the "New connection" line has the same info (the IP address) twice. How should it be handled?
I'm not seeing the IP twice in the examples you provided. It was broken into two lines due to automatic line breaks, but the next is a single log line, where the remote IP address (192.168.2.142) appears twice: Sep 24 13:52:42 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New connection from 192.168.2.142
If it is indeed there twice, I guess the question is what the tag name is for both. If you weren't planning on having a tag for one of the two occurrences, then I would say skip that one since it wouldn't make sense without a tag name.
As the address/fqdn is always the same here, belonging to the same variable, useracct.device. So, storing it once is enough. Then the first appearance could be discarded with at @QSTRING::@@)@ and the second one stored with an @ANYSTRING:useracct.device@
- how should Anonymous login be handled? @QSTRING:useracct.username: @ vs. <value name="usracct.username">Anonymous</value>
I think "Anonymous" should definitely get logged the same as any other user name, since you would want to see that on reports.
It would be stored both ways, I just would like to know, which is more elegand, less resource hungry, etc.
Another thought would be to maybe switch it to the IP address, but I don't see how you would do that across log lines.
Well, that would require some session tracking, but even then we are out of luck, as session information is missing from the logs. Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/