The * and . characters are NTP problems - they mean that your devices are not configured/synched properly:<div>Symbol<span style="mso-spacerun:yes"> </span>Description</div><div>
<p class="MsoPlainText">*<span style="mso-spacerun:yes"> </span>Time is not
authoritative: the software clock is not in sync or has never been set. </p>
<p class="MsoPlainText">(blank) Time is authoritative: the software clock is in
sync or has just been set manually </p>
<p class="MsoPlainText">.<span style="mso-spacerun:yes"> </span>Time is
authoritative, but NTP is not synchronized: the software clock was in sync, but
has since lost contact with all configured NTP servers</p><p class="MsoPlainText">I'm using:</p></div><div>$S_YEAR-$S_MONTH-$S_DAY $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n</div><div><br></div><div>I use tabs as a delimiter, but of course you can use the delim of your choice :-)</div>
<div><br></div><div>In my parser, I use:</div><div><div><div>my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;</div><div>my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco Mnemonics capture</div>
</div><div><br></div><div>...while loop:</div><div># v3.2 Fields are: TS, Host, PRI, Program, and MSG</div><div> if ($msg =~ m/$re_pipe/) {</div><div> $ts = $1;</div><div> $host = $2;</div><div> $pri = $3;</div>
<div> $facility = int($pri/8);</div><div> $severity = $pri - ($facility * 8 );</div><div> $prg = $4;</div><div> $msg = $5;</div></div><div><br></div><div><br></div><div><br></div><div>HTH :-)</div>
<div><br></div><div><br clear="all">______________________________________________________________ <br><br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Mon, Mar 7, 2011 at 9:07 AM, Alexander Clouter <span dir="ltr"><<a href="mailto:alex@digriz.org.uk">alex@digriz.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi,<br>
<br>
I think you have missed what I have set out to accomplish, digesting<br>
and log analysis is not the problem I'm solving[1]<br>
<br>
* Clayton Dukes <<a href="mailto:cdukes@gmail.com">cdukes@gmail.com</a>> [2011-03-07 08:40:55-0500]:<br>
><br>
> Cisco messages are easy to log than most IMHO.<br>
><br>
The sequence number and scattering of '*'/'.' infront of the timestamp<br>
makes it anything but easy to log; especially if you want to trust the<br>
sending host's timestamp and have all your output logs in a *standard*<br>
format[2].<br>
<br>
Cisco devices do *not* send messages in a format syslog-ng cannot parse<br>
directly (or not one I have found). Why does IOS sometimes put a '.'<br>
infront of the date and other times does not? The only helpful bit I<br>
got from your whitepaper is now I know what '*' means, no idea why you<br>
did not just append '+02:30' or whatever on the date instead?<br>
<br>
I'm trying to normalise the cruft IOS sends me, not analyse it. Once it<br>
is in a standard format I can use generic shell/perl scripts to parse<br>
the contents, rather than custom Cisco-only scripts.<br>
<br>
Cheers<br>
<br>
[1] I actually prefer a daily cronjob of various types of 'catches of<br>
the day', generated from awk/perl scripts that get dumped into<br>
my mailbox. For example, 'top ten' egress user IP's appearing<br>
in the firewall. This is just how I like to butter by bread<br>
though :)<br>
[2] I really like the output from "$ISODATE $FULLHOST<br>
<$FACILITY.$PRIORITY> $MSGHDR$MSGONLY"<br>
<font color="#888888"><br>
--<br>
Alexander Clouter<br>
.sigmonster says: Thank God I'm an atheist.<br>
</font></blockquote></div><br></div>