> The logic that I've come up with so far consists of a routine > that does > the following: > > 1) tries to guess the type of message based upon some > obvious content, > such as %PIX indicates it's a pix firewall message. If it > can determine > the type of message, parsing the contents is a cinch, since > the order of > the tokens is already known (until Cisco changes their format). > > 2) if #1 fails, do a "brute-force" approach (for lack of a > better term), > that employs sequences of tokens, ie. If the date comes first, then a > hostname after it, etc. I'm not quite sure how this'll work out yet. > Hopefully #1 will cover 95% of the cases. Well... Why not make a list (in a text file, db etc) that maps ip-addresses to device-types, like... 10.1.2.1 CiscoPix 10.2.4.4 HPPrinter 10.4.0.4 ExtremeSummit 10.5.5.2 HPPrinter Etc... And feed all messages from for example 10.2.4.4 and 10.5.5.2 into a program/module/function/etc called HPPrinter, to do the parsing. // Best regards Bjorn Osterman (DGC Systems AB, Sweden) _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 09:25:58 PDT