[syslog-ng] logic and duplicate suppression
John Kristoff
jtk at cymru.com
Thu Aug 5 23:44:47 CEST 2010
On Mon, 02 Aug 2010 16:29:39 +0200
Balazs Scheidler <bazsi at balabit.hu> wrote:
> can you describe what 'generic' application level events these do
> describe? For example, user login/logout are described using the
> "usracct" schema, which defines which name-value pairs need to be
> marked in the incoming log message. Does this idea apply to here as
> well?
Without knowing what the choices are and what the goals are, maybe they
are both under a DNS or more generic netinfo schema? The drg.lamer
pattern identifies a lame delegation. They are both informational as
the prefix tags suggest. In the generic sense, maybe renaming the
LAMER part of the name to a generic DNS tag would be appropriate?
> > In the case of the query pattern, being able to set a MACRO based on
> > the presence of a flag (e.g. if FLAGS =~ /\+/ then RD=1 else RD=0).
>
> I don't understand this, can you elaborate please?
A ISC BIND query log message may contain the following flags appended
onto the log message:
flag | description
--------------------------
+ | recursion desired
- | recursion not requested
S | signed query
E | EDNS options in use
T | TCP in use
D | DNSSEC OK set
C | checking disabled
I was thinking of a way to set a macro based on the presence of a
particular flag. For for instance, if the following logs appear:
client 127.0.0.1#49152: query: www.example.org IN A +
client 192.0.2.1#49152: query: www.example.org IN A +E
client 2001:DB8::1#49152: query: www.example.org IN A +SE
In any case, I was thinking if I could set ${DNS.RECURSION} = 1 that
would be nice unless there is a better, more efficient way within the
existing capabilities.
John
More information about the syslog-ng
mailing list