[syslog-ng] cisco/squid feedback

[Alexander Clouter]

Hi,

* Clayton Dukes <cdukes at gmail.com> [2011-03-07 09:28:35-0500]:
>
> The * and . characters are NTP problems - they mean that your devices are
> not configured/synched properly:
> Symbol  Description
> 
but but but...

http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339

"Cisco IOS Software allows devices to be configured to send the 
time-zone information in the message part of the Syslog packet. When 
this occurs, the message will be marked with an asterisk (*)."

Or does 'message' here mean $MSG?

> *       Time is not authoritative: the software clock is not in sync or has
> never been set.
> 
> (blank) Time is authoritative: the software clock is in sync or has just
> been set manually
> 
> .       Time is authoritative, but NTP is not synchronized: the software
> clock was in sync, but has since lost contact with all configured NTP
> servers
> 
/me adds another thing to his todo list of things to fix :-/

In my defence, I cannot find where this documented on the Cisco website.

> I'm using:
> $S_YEAR-$S_MONTH-$S_DAY
> $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n
> 
> I use tabs as a delimiter, but of course you can use the delim of your
> choice :-)
> 
> In my parser, I use:
> my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;
> my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco Mnemonics capture
> 
> ...while loop:
> # v3.2 Fields are: TS, Host, PRI, Program,  and MSG
>  if ($msg =~ m/$re_pipe/) {
>         $ts = $1;
>         $host = $2;
>         $pri = $3;
>         $facility = int($pri/8);
>         $severity =  $pri - ($facility * 8 );
>         $prg = $4;
>         $msg = $5;
> 
Much like the squid rewriter on the page, I did use a perl script 
originally, then worked out how (with a monkey wrench) I could persuade 
syslog-ng to do my dirty work :)

Cheers

-- 
Alexander Clouter
.sigmonster says: Life is cheap, but the accessories can kill you.