[syslog-ng] patterndb parsers - name selection request.

Balazs Scheidler bazsi77 at gmail.com
Sat Oct 13 21:45:22 CEST 2012 

----- Original message -----
> 
> For our own purposes we will be adding a few parsers to the patterndb
> syntax, and will be contributing them back to Balabit, so I wanted to
> choose reasonable/acceptable names for these. Feedback on what these do
> and/or the name of the parser would be appreciated.
> 
> HOSTNAME
> 
> This is really the same as @STRING:xxx:.-_@ but makes the pattern much
> more readable. I am still considering if any triailing period should be
> consumed but dropped. This would make it easier to parse a hostname that
> comes at the end of a log line where the log line ends in a period, as
> well as forced FQDN names that are logged.
> 

sounds good.

> EMAIL
> 
> email addresses are difficult to parse because they have an @ symbol in
> them. This parser would accept a list of characters that would be
> dropped beginning and end of the match. such as "erempel at uvic.ca" or
> <erempel at uvic.ca> and return just the e-mail address erempel at uvic.ca in
> the specified tag name.
> 

good idea.

> MACETH
> 
> Parse upper/lower case ethernet MAC addresses such as 78:2B:CB:70:49:73

there's already a parser for this in 3.4, iirc it is called macaddr
> 
> MACIB
> 
> Parse upper/lower case infiniband addresses such as
> 80:00:00:48:fe:80:00:00:00:00:00:00:00:02:c9:03:00:05:bc:15
> 
> MACFC
> 
> Parse upper/lower case fibre channel addresses (these are fibre channel
> (w)orld (w)ide (n)ames often refered to as WWN but in keeping with the
> (m)edia (a)ccess (c)ontrol layer names I have chosen for MACETH and
> MACIB I thought that MACFC was more consistent.
> 

I wouldn't use MAC prefix for either of these, only if it's really that usual to call these macs.

> 
> Thanks for your feedback.
> 

some refactoring in the parser area is dearly needed, the pattern parsing code is ugly. I'm not sure when I get there to refactor that, i just  wanted to warn you :) or if you could split that huge function to smaller ones and use a lookup table instead of the if-else-if mess, that would be appreciated.

thanks for considering this. these ideas are great
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20121013/55f3aafd/attachment.htm

More information about the syslog-ng mailing list