The * and . characters are NTP problems - they mean that your devices are not configured/synched properly:<div>Symbol<span style="mso-spacerun:yes">  </span>Description</div><div>

<p class="MsoPlainText">*<span style="mso-spacerun:yes">       </span>Time is not
authoritative: the software clock is not in sync or has never been set. </p>

<p class="MsoPlainText">(blank) Time is authoritative: the software clock is in
sync or has just been set manually </p>

<p class="MsoPlainText">.<span style="mso-spacerun:yes">       </span>Time is
authoritative, but NTP is not synchronized: the software clock was in sync, but
has since lost contact with all configured NTP servers</p><p class="MsoPlainText">I&#39;m using:</p></div><div>$S_YEAR-$S_MONTH-$S_DAY $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n</div><div><br></div><div>I use tabs as a delimiter, but of course you can use the delim of your choice :-)</div>
<div><br></div><div>In my parser, I use:</div><div><div><div>my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;</div><div>my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco Mnemonics capture</div>
</div><div><br></div><div>...while loop:</div><div># v3.2 Fields are: TS, Host, PRI, Program,  and MSG</div><div> if ($msg =~ m/$re_pipe/) {</div><div>        $ts = $1;</div><div>        $host = $2;</div><div>        $pri = $3;</div>
<div>        $facility = int($pri/8);</div><div>        $severity =  $pri - ($facility * 8 );</div><div>        $prg = $4;</div><div>        $msg = $5;</div></div><div><br></div><div><br></div><div><br></div><div>HTH :-)</div>
<div><br></div><div><br clear="all">______________________________________________________________ <br><br>Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Mon, Mar 7, 2011 at 9:07 AM, Alexander Clouter <span dir="ltr">&lt;<a href="mailto:alex@digriz.org.uk">alex@digriz.org.uk</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi,<br>
<br>
I think you have missed what I have set out to accomplish, digesting<br>
and log analysis is not the problem I&#39;m solving[1]<br>
<br>
* Clayton Dukes &lt;<a href="mailto:cdukes@gmail.com">cdukes@gmail.com</a>&gt; [2011-03-07 08:40:55-0500]:<br>
&gt;<br>
&gt; Cisco messages are easy to log than most IMHO.<br>
&gt;<br>
The sequence number and scattering of &#39;*&#39;/&#39;.&#39; infront of the timestamp<br>
makes it anything but easy to log; especially if you want to trust the<br>
sending host&#39;s timestamp and have all your output logs in a *standard*<br>
format[2].<br>
<br>
Cisco devices do *not* send messages in a format syslog-ng cannot parse<br>
directly (or not one I have found).  Why does IOS sometimes put a &#39;.&#39;<br>
infront of the date and other times does not?  The only helpful bit I<br>
got from your whitepaper is now I know what &#39;*&#39; means, no idea why you<br>
did not just append &#39;+02:30&#39; or whatever on the date instead?<br>
<br>
I&#39;m trying to normalise the cruft IOS sends me, not analyse it.  Once it<br>
is in a standard format I can use generic shell/perl scripts to parse<br>
the contents, rather than custom Cisco-only scripts.<br>
<br>
Cheers<br>
<br>
[1] I actually prefer a daily cronjob of various types of &#39;catches of<br>
        the day&#39;, generated from awk/perl scripts that get dumped into<br>
        my mailbox.  For example, &#39;top ten&#39; egress user IP&#39;s appearing<br>
        in the firewall.  This is just how I like to butter by bread<br>
        though :)<br>
[2] I really like the output from &quot;$ISODATE $FULLHOST<br>
        &lt;$FACILITY.$PRIORITY&gt; $MSGHDR$MSGONLY&quot;<br>
<font color="#888888"><br>
--<br>
Alexander Clouter<br>
.sigmonster says:   Thank God I&#39;m an atheist.<br>
</font></blockquote></div><br></div>