Hi, * Clayton Dukes <cdukes@gmail.com> [2011-03-07 09:28:35-0500]:
The * and . characters are NTP problems - they mean that your devices are not configured/synched properly: Symbol Description
but but but... http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c... "Cisco IOS Software allows devices to be configured to send the time-zone information in the message part of the Syslog packet. When this occurs, the message will be marked with an asterisk (*)." Or does 'message' here mean $MSG?
* Time is not authoritative: the software clock is not in sync or has never been set.
(blank) Time is authoritative: the software clock is in sync or has just been set manually
. Time is authoritative, but NTP is not synchronized: the software clock was in sync, but has since lost contact with all configured NTP servers
/me adds another thing to his todo list of things to fix :-/ In my defence, I cannot find where this documented on the Cisco website.
I'm using: $S_YEAR-$S_MONTH-$S_DAY $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n
I use tabs as a delimiter, but of course you can use the delim of your choice :-)
In my parser, I use: my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/; my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco Mnemonics capture
...while loop: # v3.2 Fields are: TS, Host, PRI, Program, and MSG if ($msg =~ m/$re_pipe/) { $ts = $1; $host = $2; $pri = $3; $facility = int($pri/8); $severity = $pri - ($facility * 8 ); $prg = $4; $msg = $5;
Much like the squid rewriter on the page, I did use a perl script originally, then worked out how (with a monkey wrench) I could persuade syslog-ng to do my dirty work :) Cheers -- Alexander Clouter .sigmonster says: Life is cheap, but the accessories can kill you.