Log formats
Logrep sees log files as logical blocks containing attributes. Mostly, one block corresponds to one line. However, there are some exceptions like postfix and sendmail files with multi-line blocks, and syslogs with last line repeated messages that contain many blocks in a one single line!.
Logrep parsing modules extract attributes from each block and populate multi dimensional data structures for further analysis and reporting.
Composite attributes
As of version 1.4.3, Logrep supports composite attributes. With this feature you can combine several basic attributes into a composite attribute for logrep analysis. For example, combined attribute 'month.day' can give you trend analysis spanning several months. Another example can be "from.to.result", giving a one-step overview of transfer results from one source to a destination.
Currently, only concatenation operator (.) is supported.
| Supported systems and attributes
The current version of logrep can analyze log files with 31 different formats.
The table below shows lists of available attributes by system :
| System |
Log type |
Attribute list |
| Apache |
Common Log Format |
month, day, hour, from, user, authuser, method, document, result, kbsize |
| Apache |
Combined Log Format |
month, day, hour, from, user, authuser, method, document, result, kbsize, referrer, useragent |
| Exchange |
5.5 Tracking log |
month, day, hour, gateway, from, priority, sizeKB, to |
| Exchange |
2000/2003 Tracking log |
month, day, hour, clientname, partner, servername, to, eventid, msgid, priority, status, sizeKB, nrecipients, encryption, from |
| Checkpoint Firewall-1 |
4.1 Export |
month, day, hour, originator, type, action, alert, interface, direction, protocol, source, destination, service, rule, length |
| Checkpoint Firewall-1 NG |
NG Export |
month, day, hour, origin, type, action, interface, protocol, source, destination, service, rule, information, user, sourceport |
| Checkpoint Firewall-1 NGX |
NG Export |
month, day, hour, origin, type, action, interface, protocol, source, destination, service, rule, information, user, sourceport, rulename, currentrule |
| Cisco Pix Firewall |
syslog |
month, day, hour, pixnode, severity, source, sourceport, destination, destport, event |
| Cisco SEC messages |
syslog |
month, day, hour, pixnode, list, code, action, proto, source, sourceport, destination, destport, npacket |
| Cisco VPN Concentrator |
syslog |
month, day, hour, code, message, from, group, user, length |
| Microsoft IIS |
5.0 W3C standard |
month, day, hour, from, user, to, port, method, document, result |
| Microsoft IIS |
6.0 W3C extended |
month, day, hour, from, user, to, port, method, document, result |
| Microsoft SUS |
5.0 W3C standard |
month, day, hour, from, to, client, activity, item, platform, language, status, error, message |
| Microsoft SUS |
6.0 W3C extended |
month, day, hour, from, to, client, activity, item, platform, language, status, error, message |
| GTA Firewall appliance (WELF) |
Kiwi syslog |
month, day, hour, id, fw, pri, msg, proto, src, srcport, nat, natport, dst, dstport, rule, duration, cataction, catsite, flttype, fltaction, interface, attribute |
| Ipchains |
- |
month, day, hour, server, chain, action, interface, protocol, source, sourceport, destination, destport, sizeKB, rule |
| Iptables |
- |
month, day, hour, server, in, out, source, destination, sizeKB, ttl, protocol, sourceport, destport, windowKB |
| Trend Micro Virus Scan |
Virus log file |
month, day, hour, from, to, virus |
| Netscreen |
- |
month, day, hour, server, severity, errortype, duration, policyid, protocol, direction, action, sentKB, receivedKB, source, destination, sourceport, destport, description |
| NT Event Log |
Dumpel export |
day, month, hour, type, category ,event, source, user |
| Oracle SQL listener |
- |
month, day, hour, connectdata, address, sid, event, returncode |
| Postfix |
- |
month, day, hour, from, to, size, recipients, delay, status |
| Sendmail |
- |
month, day, hour, from, to, size, recipients, delay, status |
| Snort |
Ascii alert file |
month, day, hour, from, to, event |
| Snort |
Syslog |
month, day, hour, from, to, event |
| Squid |
- |
month, day, hour, elapsed, from, cache, result, sizeKB, method, url, content |
| Syslog |
- |
month, day, hour, server, source, message |
| Watchguard Firewall |
syslog |
month, day, hour, fw, pri, rule, source, destination, protocol, srcport, destport, indev, inport, rc, message |
| WinInstall Software Distribution |
- |
month, day, hour, installtype, result, package, netaddr, workstation, user |
| Wtmp |
last -i command |
month, day, hour, user, tty, from, duration |
| Xferlog |
- |
month, day, hour, transfertimemins, remotehost, filesizekb, filename, transfertype, specialaction, direction, accessmode, username, authmethod,authuser |
|
|
Printer-friendly version