I`m in the process of finishing a custom parser, to share with the user group. Have a look at the image above, everything looks fine, the message has been successfully parsed.
But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.
Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the syslog messages, so in the case of an ip address 10.10.10.10 this would appear as 010.010.010.010. Cisco MARS then treated that incoming syslog as an Octal number.
But on closer inspection the Matched Strings and Parsed Strings for the Source and Destination Addresses are different.
Why is this? Well in this particular case, the device sending the syslog to MARS was "zero-padding" the syslog messages, so in the case of an ip address 10.10.10.10 this would appear as 010.010.010.010. Cisco MARS then treated that incoming syslog as an Octal number.
"Octal numerals can be made from binary numerals by grouping consecutive digits into groups of three (starting from the right). For example, the binary representation for decimal 74 is 1001010, which groups into 001 001 010 — so the octal representation is 112." - http://en.wikipedia.org/wiki/Octal
All is not lost though, as it is possible to include regex to elimate the leading zero. In my case the solution was a little simpler. Luckily the appliance i was creating the parser for, had the option to disable the option for zero padded IP Addresses in the Syslog. :-)
Posts
No comments:
Post a Comment