[Dshield] Bug in framework with last message repeated parsing?
Daniel Gerald Kluge
dkluge at acm.org
Sun Mar 9 21:10:20 GMT 2003
I wrote a parser for ZyNOS (Zyxel Routers, Zywall, Netgear) this
afternoon, based on the perl framework, and I'm currently having a
problem with the english in framework.pl.
I parse syslog output, and I have the following issue with the 'last
message repeated line' parsing. The comments in framework.pl say:
# $prev_dline will be non-NULL only if the previous line was a
# DShield log line. Note the rule. Any operation that skips a
# must also clear $prev_dline.
What does valid mean?
The previous line was valid, but it was excluded from output because of
an exclude rule, so $prev_dline is not set, and I'm getting a
parse-error on the 'last message repeated' line because it is passed to
the parser instead of being handled by the framework.
I don't like this behavior, since it will send me checking for the
actual reason of the error every time....
Ideas, comments from framework & parser writers, maintainers and gurus?
More information about the list