search

rsyslog / liblognorm

a fast samples-based log normalization library
http://www.liblognorm.com
GNU Lesser General Public License v2.1
99 stars 64 forks source link

add parser for n-digit hex string #35

Open rgerhards opened 9 years ago

rgerhards commented 9 years ago

In the format xx:xx:xx:xx where xx is one digit. This is used for MAC addresses, crypto hashes and the like.

sethhall commented 9 years ago

Is it possible there could be some extension made to the tokenized keyword to avoid creating a full new parser? Perhaps if it had someway to indicate you're parsing fields of hex values separated by colons but to combine it into a single string instead of separate elements?

I ran into this when parsing openssh logs today and I was parsing a "pub key accepted" line.

Jul 14 13:55:25 notice sshd[1058]: Accepted publickey for the_user from 1.2.3.4 port 51473 ssh2: RSA e1:d5:16:f1:44:ac:e2:fa:5c:60:5b:16:70:9e:aa:f2#015

Right now I'm just parsing it with the "rest" parser, but that's really not the right way to do it either.

rgerhards commented 9 years ago

For performance reasons as well as to prevent to broad matches, we need a new parser in any case.

janmejay commented 9 years ago

+1 for a new parser. I guess it should take a aesthetic-delimiter which it ignores while treating the whole thing as a number?

Regards, Janmejay

PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.

On Jul 16, 2015 11:25 AM, "Rainer Gerhards" notifications@github.com wrote:

For performance reasons as well as to prevent to broad matches, we need a new parser in any case.

— Reply to this email directly or view it on GitHub https://github.com/rsyslog/liblognorm/issues/35#issuecomment-121841977.

rgerhards commented 9 years ago

I'd say we shold make this an option. With the v2 config, we will have much easier ways to specify options, e.g.

%field:hexstring{"digits":12, "delimiter": ":", "keepDelimiter": true}%

janmejay commented 9 years ago

Sweet.

Regards, Janmejay

PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.

On Jul 16, 2015 11:56 AM, "Rainer Gerhards" notifications@github.com wrote:

I'd say we shold make this an option. With the v2 config, we will have much easier ways to specify options, e.g.

%field:hexstring{"digits":12, "delimiter": ":", "keepDelimiter": on}%

— Reply to this email directly or view it on GitHub https://github.com/rsyslog/liblognorm/issues/35#issuecomment-121845720.

sethhall commented 9 years ago

Oh! Agreed, that's really neat.