Briefly described, liblognorm is a tool to normalize log data.

People who need to take a look at logs often have a common problem. Logs from different machines (from different vendors) usually have different formats. Even if it is the same type of log (e.g. from firewalls), the log entries are so different, that it is pretty hard to read these. This is where liblognorm comes into the game. With this tool you can normalize all your logs. All you need is liblognorm and its dependencies and a sample database that fits the logs you want to normalize.

So, for example, if you have traffic logs from three different firewalls, liblognorm will be able to “normalize” the events into generic ones. Among others, it will extract source and destination ip addresses and ports and make them available via well-defined fields. As the end result, a common log analysis application will be able to work on that common set and so this backend will be independent from the actual firewalls feeding it. Even better, once we have a well-understood interim format, it is also easy to convert that into any other vendor specific format, so that you can use that vendor’s analysis tool.

By design, liblognorm is constructed as a library. Thus, it can be used by other tools.

In short, liblognorm works by:

  1. Matching a line to a rule from predefined configuration;
  2. Picking out variable fields from the line;
  3. Returning them as a JSON hash object.

Then, a consumer of this object can construct new, normalized log line on its own.