On Mon, 02 Aug 2010 16:29:39 +0200 Balazs Scheidler <bazsi@balabit.hu> wrote:
can you describe what 'generic' application level events these do describe? For example, user login/logout are described using the "usracct" schema, which defines which name-value pairs need to be marked in the incoming log message. Does this idea apply to here as well?
Without knowing what the choices are and what the goals are, maybe they are both under a DNS or more generic netinfo schema? The drg.lamer pattern identifies a lame delegation. They are both informational as the prefix tags suggest. In the generic sense, maybe renaming the LAMER part of the name to a generic DNS tag would be appropriate?
In the case of the query pattern, being able to set a MACRO based on the presence of a flag (e.g. if FLAGS =~ /\+/ then RD=1 else RD=0).
I don't understand this, can you elaborate please?
A ISC BIND query log message may contain the following flags appended onto the log message: flag | description -------------------------- + | recursion desired - | recursion not requested S | signed query E | EDNS options in use T | TCP in use D | DNSSEC OK set C | checking disabled I was thinking of a way to set a macro based on the presence of a particular flag. For for instance, if the following logs appear: client 127.0.0.1#49152: query: www.example.org IN A + client 192.0.2.1#49152: query: www.example.org IN A +E client 2001:DB8::1#49152: query: www.example.org IN A +SE In any case, I was thinking if I could set ${DNS.RECURSION} = 1 that would be nice unless there is a better, more efficient way within the existing capabilities. John