[syslog-ng] pure-ftpd

Balazs Scheidler bazsi at balabit.hu
Thu Sep 30 08:08:04 CEST 2010


On Wed, 2010-09-29 at 13:35 +0200, Peter Czanik wrote:
> Hello,
> 
> On 09/29/2010 01:26 PM, Balazs Scheidler wrote:
> >
> >> - how should Anonymous login be handled?
> >> @QSTRING:useracct.username: @
> >> vs.
> >> <value name="usracct.username">Anonymous</value>
> >>     
> > anonymous should be handled just like any other username, although it is
> > canonically written as "anonymous" e.g. lower case.
> >
> >   
> Anonymous is logged differently, so it can't be handled with the same rule:
> 
> "Anonymous user logged in" vs. "czanik is now logged in"
> 
> Considering that the lower case name is preferred, I'd say, that we
> should use the second way, but use a lowercase "anonymous":
> <value name="usracct.username">anonymous</value>
> Bye,
> 

it doesn't have to be the same rule. two rules can result in the same
tags/name-value pairs.

even more, it is better if they are different rules, they identify
different messages after all. multiple patterns should only be used if
the same log message has multiple variants.

-- 
Bazsi




More information about the syslog-ng mailing list