liblognorm 1.0.1 released

We have just released liblognorm 1.0.1. This is a pure maintenance release.


Version 1.0.1, 2014-04-11

  • improved doc (via RST/Sphinx)
  • bugfix: unparsed fields were copied incorrectly from non-terminated string. Thanks to Josh Blum for the fix.
  • bugfix: mandatory tag did not work in lognormalizer


As always, feedback is appreciated.

Best regards,
Florian Riedl

Tags: , , ,

2 Responses to “liblognorm 1.0.1 released”

  1. mark andrews says:

    Hi there,

    I’m trying to parse data from various Intrusion Detection Systems sent to a box via rsyslog sending contents of /var/log/auth.log on the IDS box. this all works fine, and now i need to parse the auth.log messages.

    rather than write all the parsers, I figure someone must have done an open source syslog parser, so i hunt around the web
    and find liblognorm. Wonderful!

    I download and build liblognorm. all goes well and i run the first lognormalizer against the sample messages.log and messages.sampdb.
    everything comes back unparsed data.

    Ok, I’ll back off and start simple with data from SNORT IDS system:

    # in the sampdb file:
    :%date:date-rfc3164% %host:word%
    :%date:date-rfc3164% %host:word% %tag:char-to:]%

    # in the log file
    Oct 25 09:48:25
    Oct 25 09:48:25 ubuntu
    Oct 25 09:48:25 ubuntu snort[5502]
    Oct 25 09:48:25 ubuntu snort[5502]: [1:402:7]

    # and i still get as output for only the date:
    { “originalmsg”: “Oct 25 09:48:25”, “unparsed-data”: “Oct 25 09:48:25” }

    before diving into the parser code, am i missing something simple here? why is it returning unparsed-data on
    only a date?

    once this gets resolved, what should be the pattern for parsing the snort global and signature id part:
    [1:402:7] == > “gid”:1, “signature_id”:402 ….

  2. mark andrews says:

    issue is solved. failure to add rule=: at beginning – the sample files message.sampdb and the documentation need to be updated!

    here are the rules which work for snort events via syslog, FYI:

    rule=:%date:date-rfc3164% %host:word% snort[%instance_id:char-to:\x5d%]: [%gid:char-to:\x3a%:%sig:char-to:\x3a%:%iid:char-to:\x5d%] %sig_string:char-to:\x5b%[Classification:%classification:char-to:\x5d%] [Priority:%priority:char-to:\x5d%] {%proto:char-to:\x7d%} %src_ip:ipv4% -> %dst_ip:ipv4%
    rule=:%date:date-rfc3164% %host:word% snort[%instance_id:char-to:\x5d%]: [%gid:char-to:\x3a%:%sig:char-to:\x3a%:%iid:char-to:\x5d%] %sig_string:char-to:\x5b%[Classification:%classification:char-to:\x5d%] [Priority:%priority:char-to:\x5d%] {%proto:char-to:\x7d%} %src_ip:ipv4% : %src_port:number% -> %dst_ip:ipv4% : %dst_port:number%

Leave a Reply