Cisco Format
Wytze van der Raay
wytze at nlnet.nl
Fri Oct 31 14:39:37 CET 2003
anderson wrote:
> I've set up Lire and everything seems fine except that it doesn't seem
> to get any data when I ask it to parse my Cisco router's log. The format
> is as below:
>
> Oct 31 09:00:53 192.168.0.223 83843: *Mar 8 17:58:46:
> %SEC-6-IPACCESSLOGP: list 199 permitted tcp 192.168.0.28(3128)
> (FastEthernet1/0 0002.55d6.92a3) -> 192.168.0.33(3607), 1 packet
>
> It seems that cisco_ios2dlf expects that log->{process} will contain
> '%SEC-6-IPACCESSLOGP' but Lire::Syslog has placed (using the above
> example) '83843' in log->{process} instead.
Lire::Syslog is confused by the asterisk (*) preceding the cisco-
generated time stamp "*Mar 8 17:58:46". Do you know why it is there?
If you remove it (e.g. with sed -e 's/\*//' ), the cisco_ios2dlf
converter will have no trouble parsing this record.
If there is a good reason for the asterisk to be there, please report
it, and someone could adapt the extract_process function in Lire::Syslog
to deal with it (check the pattern below the comment "Remove extra
timestamp as sometimes sent by network devices").
Regards,
Wytze van der Raay
--
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of
"unsubscribe". Trouble? Send an email with subject "help" to
questions-request at logreport.org
More information about the Questions
mailing list