>but but but...<br>><br>><a href="http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339" target="_blank">http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339</a><div>
<br></div><div><a href="http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339" target="_blank"></a>Yep...I'm trying to get the WP corrected (which was based on another incorrect document at <a href="http://cisco.com">cisco.com</a>), but it's difficult to get WP's updated (large company, trying to find out *who* can make the change).</div>
<div><br></div><div>>In my defence, I cannot find where this documented on the Cisco website.</div><div>Can't say I blame you :-)</div><div><br clear="all">______________________________________________________________ <br>
<br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Mon, Mar 7, 2011 at 10:58 AM, Alexander Clouter <span dir="ltr"><<a href="mailto:alex@digriz.org.uk">alex@digriz.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi,<br>
<br>
* Clayton Dukes <<a href="mailto:cdukes@gmail.com">cdukes@gmail.com</a>> [2011-03-07 09:28:35-0500]:<br>
><br>
> The * and . characters are NTP problems - they mean that your devices are<br>
> not configured/synched properly:<br>
> Symbol Description<br>
><br>
but but but...<br>
<br>
<a href="http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339" target="_blank">http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339</a><br>
<br>
"Cisco IOS Software allows devices to be configured to send the<br>
time-zone information in the message part of the Syslog packet. When<br>
this occurs, the message will be marked with an asterisk (*)."<br>
<br>
Or does 'message' here mean $MSG?<br>
<br>
> * Time is not authoritative: the software clock is not in sync or has<br>
> never been set.<br>
><br>
> (blank) Time is authoritative: the software clock is in sync or has just<br>
> been set manually<br>
><br>
> . Time is authoritative, but NTP is not synchronized: the software<br>
> clock was in sync, but has since lost contact with all configured NTP<br>
> servers<br>
><br>
/me adds another thing to his todo list of things to fix :-/<br>
<br>
In my defence, I cannot find where this documented on the Cisco website.<br>
<br>
> I'm using:<br>
> $S_YEAR-$S_MONTH-$S_DAY<br>
> $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n<br>
><br>
> I use tabs as a delimiter, but of course you can use the delim of your<br>
> choice :-)<br>
><br>
> In my parser, I use:<br>
> my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;<br>
> my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco Mnemonics capture<br>
><br>
> ...while loop:<br>
> # v3.2 Fields are: TS, Host, PRI, Program, and MSG<br>
> if ($msg =~ m/$re_pipe/) {<br>
> $ts = $1;<br>
> $host = $2;<br>
> $pri = $3;<br>
> $facility = int($pri/8);<br>
> $severity = $pri - ($facility * 8 );<br>
> $prg = $4;<br>
> $msg = $5;<br>
><br>
Much like the squid rewriter on the page, I did use a perl script<br>
originally, then worked out how (with a monkey wrench) I could persuade<br>
syslog-ng to do my dirty work :)<br>
<br>
Cheers<br>
<font color="#888888"><br>
--<br>
Alexander Clouter<br>
.sigmonster says: Life is cheap, but the accessories can kill you.<br>
</font></blockquote></div><br></div>