[syslog-ng] Pattern extraction
Balazs Scheidler
bazsi at balabit.hu
Sun Aug 15 12:18:52 CEST 2010
Hi,
On Sat, 2010-08-14 at 10:02 -0500, Martin Holste wrote:
> If you're looking to do never-wrong, full normalization, then yes,
> you're looking at thousands of signatures. However, if you're looking
> to extract some common fields, it's actually not that much work to
> grab things like IP addresses using regexp. Since regexp is slow, I'm
> thinking about writing some generic patterns that would match on IP's
> using the fast pattern matcher. I don't know if it'll work, but it
> would look like "@ANYSTRING@@IPv4@@ANYSTRING@" and then maybe another
> one to grep out two IP's, then another for three, etc. I have no idea
> if that will work; we'll see how it goes.
No, this one will not work, patterndb doesn't have backtrack, so if you
want to look for IP addresses this way, you'd need to write a custom
parser plugin.
It'd be way faster than using regexps, although possibly slower than
patterndb, especially if you'd be looking for many different data types.
--
Bazsi
More information about the syslog-ng
mailing list