liblognorm icon indicating copy to clipboard operation
liblognorm copied to clipboard

Published 20 hours ago verified publisher icon rsyslog

add parser for n-digit hex string

Open rgerhards opened this issue 9 years ago • 6 comments

In the format xx:xx:xx:xx where xx is one digit. This is used for MAC addresses, crypto hashes and the like.

rgerhards avatar Apr 15 '15 09:04 rgerhards

Is it possible there could be some extension made to the tokenized keyword to avoid creating a full new parser? Perhaps if it had someway to indicate you're parsing fields of hex values separated by colons but to combine it into a single string instead of separate elements?

I ran into this when parsing openssh logs today and I was parsing a "pub key accepted" line.

Jul 14 13:55:25 notice sshd[1058]: Accepted publickey for the_user from 1.2.3.4 port 51473 ssh2: RSA e1:d5:16:f1:44:ac:e2:fa:5c:60:5b:16:70:9e:aa:f2#015

Right now I'm just parsing it with the "rest" parser, but that's really not the right way to do it either.

sethhall avatar Jul 15 '15 18:07 sethhall

For performance reasons as well as to prevent to broad matches, we need a new parser in any case.

rgerhards avatar Jul 16 '15 05:07 rgerhards

+1 for a new parser. I guess it should take a aesthetic-delimiter which it ignores while treating the whole thing as a number?

Regards, Janmejay

PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.

On Jul 16, 2015 11:25 AM, "Rainer Gerhards" [email protected] wrote:

For performance reasons as well as to prevent to broad matches, we need a new parser in any case.

— Reply to this email directly or view it on GitHub https://github.com/rsyslog/liblognorm/issues/35#issuecomment-121841977.

janmejay avatar Jul 16 '15 06:07 janmejay

I'd say we shold make this an option. With the v2 config, we will have much easier ways to specify options, e.g.

%field:hexstring{"digits":12, "delimiter": ":", "keepDelimiter": true}%

rgerhards avatar Jul 16 '15 06:07 rgerhards

Sweet.

Regards, Janmejay

PS: Please blame the typos in this mail on my phone's uncivilized soft keyboard sporting it's not-so-smart-assist technology.

On Jul 16, 2015 11:56 AM, "Rainer Gerhards" [email protected] wrote:

I'd say we shold make this an option. With the v2 config, we will have much easier ways to specify options, e.g.

%field:hexstring{"digits":12, "delimiter": ":", "keepDelimiter": on}%

— Reply to this email directly or view it on GitHub https://github.com/rsyslog/liblognorm/issues/35#issuecomment-121845720.

janmejay avatar Jul 16 '15 08:07 janmejay

Oh! Agreed, that's really neat.

sethhall avatar Jul 16 '15 12:07 sethhall