[syslog-ng] cisco/squid feedback
Alexander Clouter
alex at digriz.org.uk
Mon Mar 7 15:07:11 CET 2011
Hi,
I think you have missed what I have set out to accomplish, digesting
and log analysis is not the problem I'm solving[1]
* Clayton Dukes <cdukes at gmail.com> [2011-03-07 08:40:55-0500]:
>
> Cisco messages are easy to log than most IMHO.
>
The sequence number and scattering of '*'/'.' infront of the timestamp
makes it anything but easy to log; especially if you want to trust the
sending host's timestamp and have all your output logs in a *standard*
format[2].
Cisco devices do *not* send messages in a format syslog-ng cannot parse
directly (or not one I have found). Why does IOS sometimes put a '.'
infront of the date and other times does not? The only helpful bit I
got from your whitepaper is now I know what '*' means, no idea why you
did not just append '+02:30' or whatever on the date instead?
I'm trying to normalise the cruft IOS sends me, not analyse it. Once it
is in a standard format I can use generic shell/perl scripts to parse
the contents, rather than custom Cisco-only scripts.
Cheers
[1] I actually prefer a daily cronjob of various types of 'catches of
the day', generated from awk/perl scripts that get dumped into
my mailbox. For example, 'top ten' egress user IP's appearing
in the firewall. This is just how I like to butter by bread
though :)
[2] I really like the output from "$ISODATE $FULLHOST
<$FACILITY.$PRIORITY> $MSGHDR$MSGONLY"
--
Alexander Clouter
.sigmonster says: Thank God I'm an atheist.
More information about the syslog-ng
mailing list