[syslog-ng] cisco/squid feedback

Clayton Dukes cdukes at gmail.com
Mon Mar 7 15:28:35 CET 2011 

The * and . characters are NTP problems - they mean that your devices are
not configured/synched properly:
Symbol  Description

*       Time is not authoritative: the software clock is not in sync or has
never been set.

(blank) Time is authoritative: the software clock is in sync or has just
been set manually

.       Time is authoritative, but NTP is not synchronized: the software
clock was in sync, but has since lost contact with all configured NTP
servers

I'm using:
$S_YEAR-$S_MONTH-$S_DAY
$S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n

I use tabs as a delimiter, but of course you can use the delim of your
choice :-)

In my parser, I use:
my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;
my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco
Mnemonics capture

...while loop:
# v3.2 Fields are: TS, Host, PRI, Program,  and MSG
 if ($msg =~ m/$re_pipe/) {
        $ts = $1;
        $host = $2;
        $pri = $3;
        $facility = int($pri/8);
        $severity =  $pri - ($facility * 8 );
        $prg = $4;
        $msg = $5;



HTH :-)


______________________________________________________________

Clayton Dukes
______________________________________________________________


On Mon, Mar 7, 2011 at 9:07 AM, Alexander Clouter <alex at digriz.org.uk>wrote:

> Hi,
>
> I think you have missed what I have set out to accomplish, digesting
> and log analysis is not the problem I'm solving[1]
>
> * Clayton Dukes <cdukes at gmail.com> [2011-03-07 08:40:55-0500]:
> >
> > Cisco messages are easy to log than most IMHO.
> >
> The sequence number and scattering of '*'/'.' infront of the timestamp
> makes it anything but easy to log; especially if you want to trust the
> sending host's timestamp and have all your output logs in a *standard*
> format[2].
>
> Cisco devices do *not* send messages in a format syslog-ng cannot parse
> directly (or not one I have found).  Why does IOS sometimes put a '.'
> infront of the date and other times does not?  The only helpful bit I
> got from your whitepaper is now I know what '*' means, no idea why you
> did not just append '+02:30' or whatever on the date instead?
>
> I'm trying to normalise the cruft IOS sends me, not analyse it.  Once it
> is in a standard format I can use generic shell/perl scripts to parse
> the contents, rather than custom Cisco-only scripts.
>
> Cheers
>
> [1] I actually prefer a daily cronjob of various types of 'catches of
>        the day', generated from awk/perl scripts that get dumped into
>        my mailbox.  For example, 'top ten' egress user IP's appearing
>        in the firewall.  This is just how I like to butter by bread
>        though :)
> [2] I really like the output from "$ISODATE $FULLHOST
>        <$FACILITY.$PRIORITY> $MSGHDR$MSGONLY"
>
> --
> Alexander Clouter
> .sigmonster says:   Thank God I'm an atheist.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110307/e4f948da/attachment.htm

More information about the syslog-ng mailing list