Hi Mathias, Thanks that's helpful if I'm workign on ONE machine. The problem is I can't get this working for our loghost which gets all the files.
All I get is this:
Other hosts syslogging to us:
290374 host1.example.edu
283974 host2.example.edu
289307 host3.example.edu
And so on.. no matter what I put in the config file :(
-Anne
Mathias Palm grabbed a keyboard and typed...
> On Thu, Oct 10, 2002 at 09:15:12AM -0700, Anne Carasik wrote:
> > Hi Mathias,
>
> Hi Anne,
>
> I send this one to the list again, I hope this is ok.
>
> >
> > Actually, it is a good start. The developer sent me a tutorial,
> > and I'm going to help him work on it for the clueless folks like
> > me :)
> >
> > > config_version 0.38
> >
> > Good, we're using the same version (I'm not surprised since
> > Debian hasn't upgraded this yet).
> >
> > > add arr log_type_list=
> > > iptables
> > >
> > > add arr log_type_list=
> > > iptables
> >
> > Ok, what is "add arr log_type_list" and why do you have this twice?
> >
> This is just a name for the for a new type of log-files where all the
> definitions to follow apply.
>
> I am sure the doubling is by accident. As I said, I got a config
> somewhere else and rewrote it according to my needs.
>
> > > add arr iptables_filenames=
> > > iptables
> >
> > Ok, so that's the filename you're reading from, right?
> >
>
> It is the root of the logfiles the log_type "iptables" applies to.
> This rule actually reads iptables.0 ... or iptables.1.gz (when called
> with argument -a)
>
>
> You need to read about "perl regular expressions" (man perlre or heaps
> of other sources about regular expressions) to understand the following
> and write your own configs. I am no expert in regexps and am sure you
> could write better ones. Regexps being a powerful tool it is worthwile
> to learn about them, so you wont waste your time.
>
> > > set var iptables_date_pattern=^((?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oc
> > > t|Nov|Dec)+\s+\d{1,2})\s+\d+\:\d+\:\d+\s+
> >
>
> Translated this means:
>
> the brackets are just groupings
>
> - ^ Match the beginning of the line
> - ?: some switch I cant remember why I put it there
> - Jan|Feb|Mar... matches Jan or Feb or Mar or ...
> - + match at least one time
> - \s match a whitespace (space, tab or similiar)
> - \d{1,2} match one or two digits
> - \: match a : (: is a special character and needs to be escaped)
>
> hence it matches a string like
>
> Oct 9 17:34:27
>
> at the beginning of the line.
>
> >
> > Ok, quick question:
> >
> > What does +\s +\d do? I take it +d is an integer and +s is a string?
> >
>
> see the above
>
> > > set var iptables_date_format=%b %e
> >
> > Not sure what %b and %e give you.
>
> read man strftime. I am not sure what it really does.
>
> >
> > > logtype: iptables
> > > pattern: tungurahua kernel: CHAIN INPUT.*SRC=($ip_pat).*DST=($ip_pat).*PR
> > > OTO=(.*)
> >
> > I take *'s work like they do in the shell?
> >
>
> The . matches any character and the * matches the preceding
> character 0 or more times. I am not sure if the "preceding character" is
> the dot or the character replacing the dot.
>
> > > use_sprintf
> > > format: "%-3s packet from %-15s to %-15s" , $3, $1, $2
> >
> > I have simple "format:" sections like:
> > format: STMP from $1 to $2
> >
> > What does use_sprintf buy you?
>
> I actually dont know, I guess sprintf sounded just familiar (knowing C
> quite well), so I didn't search for anything else
>
>
> >
> > > pattern: tungurahua kernel: CHAIN OUTPUT.*SRC=($ip_pat).*DST=($ip_pat).*P
> > > ROTO=(.*)
> >
> > Do the periods (.) give you anything if they aren't escaped with a \?
> >
>
> see before.
>
>
> Alright, hope this answers some of your questions. Good luck and thanks
> for writing the tutorial. I'd be interested in it and would be glad if
> you could notify me where to find it.
>
> Mathias
--
.-"".__."``". Anne Carasik, System Administrator
.-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu
(O/ O) \-' ` -="""=. ', Center for Advanced Computing Research
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
msg07399/pgp00000.pgp
Description: PGP signature
