Rainer Gerhards wrote: > > Oct 1 17:56:57 rh9lt rger: test 2 > Oct 1 17:56:44 172.19.1.20 wsrger rger: test 1 > <13>Oct 1 18:02:32 rger: test 4 > [which to expect?] Syslog has become sufficiently loosely specified over the years that I'm afraid you'll have to be able to deal with just about any variation, including also missing timestamps. Make your parser smart enough to figure out which fields are actually present and have it deal with things at runtime. Perhaps you can make assumptions about locally-received events based on the host OS or such, but you can make no such assumptions about remotely received events, so I'd just go ahead and implement the full logic and apply it to all events. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 02 2003 - 06:38:09 PDT