[syslog-ng] cisco/squid feedback

Clayton Dukes cdukes at gmail.com
Mon Mar 7 17:03:24 CET 2011 

>but but but...
>
>
http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339

<http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339>Yep...I'm
trying to get the WP corrected (which was based on another incorrect
document at cisco.com), but it's difficult to get WP's updated (large
company, trying to find out *who* can make the change).

>In my defence, I cannot find where this documented on the Cisco website.
Can't say I blame you :-)

______________________________________________________________

Clayton Dukes
______________________________________________________________


On Mon, Mar 7, 2011 at 10:58 AM, Alexander Clouter <alex at digriz.org.uk>wrote:

> Hi,
>
> * Clayton Dukes <cdukes at gmail.com> [2011-03-07 09:28:35-0500]:
> >
> > The * and . characters are NTP problems - they mean that your devices are
> > not configured/synched properly:
> > Symbol  Description
> >
> but but but...
>
>
> http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000339
>
> "Cisco IOS Software allows devices to be configured to send the
> time-zone information in the message part of the Syslog packet. When
> this occurs, the message will be marked with an asterisk (*)."
>
> Or does 'message' here mean $MSG?
>
> > *       Time is not authoritative: the software clock is not in sync or
> has
> > never been set.
> >
> > (blank) Time is authoritative: the software clock is in sync or has just
> > been set manually
> >
> > .       Time is authoritative, but NTP is not synchronized: the software
> > clock was in sync, but has since lost contact with all configured NTP
> > servers
> >
> /me adds another thing to his todo list of things to fix :-/
>
> In my defence, I cannot find where this documented on the Cisco website.
>
> > I'm using:
> > $S_YEAR-$S_MONTH-$S_DAY
> > $S_HOUR:$S_MIN:$S_SEC\t$HOST\t$PRI\t$PROGRAM\t$MSGONLY\n
> >
> > I use tabs as a delimiter, but of course you can use the delim of your
> > choice :-)
> >
> > In my parser, I use:
> > my $re_pipe = qr/(\S+ \S+)\t(\S+)\t(\d+)\t(\S+).*\t(.*)/;
> > my $re_mne = qr/\%([A-Z\-\d\_]+?\-\d+\-[A-Z\-\_\d]+?)(?:\:|\s)/; # Cisco
> Mnemonics capture
> >
> > ...while loop:
> > # v3.2 Fields are: TS, Host, PRI, Program,  and MSG
> >  if ($msg =~ m/$re_pipe/) {
> >         $ts = $1;
> >         $host = $2;
> >         $pri = $3;
> >         $facility = int($pri/8);
> >         $severity =  $pri - ($facility * 8 );
> >         $prg = $4;
> >         $msg = $5;
> >
> Much like the squid rewriter on the page, I did use a perl script
> originally, then worked out how (with a monkey wrench) I could persuade
> syslog-ng to do my dirty work :)
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: Life is cheap, but the accessories can kill you.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20110307/68e37414/attachment-0001.htm

More information about the syslog-ng mailing list