[prev in list] [next in list] [prev in thread] [next in thread] 

List:       syslog-ng
Subject:    Re: [syslog-ng] pure-ftpd
From:       Balazs Scheidler <bazsi () balabit ! hu>
Date:       2010-09-30 6:08:04
Message-ID: 1285826884.5045.1.camel () bzorp ! lan
[Download RAW message or body]

On Wed, 2010-09-29 at 13:35 +0200, Peter Czanik wrote:
> Hello,
> 
> On 09/29/2010 01:26 PM, Balazs Scheidler wrote:
> >
> >> - how should Anonymous login be handled?
> >> @QSTRING:useracct.username: @
> >> vs.
> >> <value name="usracct.username">Anonymous</value>
> >>     
> > anonymous should be handled just like any other username, although it is
> > canonically written as "anonymous" e.g. lower case.
> >
> >   
> Anonymous is logged differently, so it can't be handled with the same rule:
> 
> "Anonymous user logged in" vs. "czanik is now logged in"
> 
> Considering that the lower case name is preferred, I'd say, that we
> should use the second way, but use a lowercase "anonymous":
> <value name="usracct.username">anonymous</value>
> Bye,
> 

it doesn't have to be the same rule. two rules can result in the same
tags/name-value pairs.

even more, it is better if they are different rules, they identify
different messages after all. multiple patterns should only be used if
the same log message has multiple variants.

-- 
Bazsi


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

[prev in list] [next in list] [prev in thread] [next in thread]