[syslog-ng] pure-ftpd
Balazs Scheidler
bazsi at balabit.hu
Thu Sep 30 08:08:04 CEST 2010
On Wed, 2010-09-29 at 13:35 +0200, Peter Czanik wrote:
> Hello,
>
> On 09/29/2010 01:26 PM, Balazs Scheidler wrote:
> >
> >> - how should Anonymous login be handled?
> >> @QSTRING:useracct.username: @
> >> vs.
> >> <value name="usracct.username">Anonymous</value>
> >>
> > anonymous should be handled just like any other username, although it is
> > canonically written as "anonymous" e.g. lower case.
> >
> >
> Anonymous is logged differently, so it can't be handled with the same rule:
>
> "Anonymous user logged in" vs. "czanik is now logged in"
>
> Considering that the lower case name is preferred, I'd say, that we
> should use the second way, but use a lowercase "anonymous":
> <value name="usracct.username">anonymous</value>
> Bye,
>
it doesn't have to be the same rule. two rules can result in the same
tags/name-value pairs.
even more, it is better if they are different rules, they identify
different messages after all. multiple patterns should only be used if
the same log message has multiple variants.
--
Bazsi
More information about the syslog-ng
mailing list