Cisco Format

[Joost van Baal]

Hi,

I _finally_ handled this mail...

On Sun, Nov 02, 2003 at 11:02:00AM +1100, Edwin Groothuis wrote:
> On Fri, Oct 31, 2003 at 02:39:37PM +0100, Wytze van der Raay wrote:
> > anderson wrote:
> > 
> > > I've set up Lire and everything seems fine except that it doesn't seem
> > > to get any data when I ask it to parse my Cisco router's log. The format
> > > is as below:
> > > 
> > > Oct 31 09:00:53 192.168.0.223 83843: *Mar  8 17:58:46:
> > > %SEC-6-IPACCESSLOGP: list 199 permitted tcp 192.168.0.28(3128)
> > > (FastEthernet1/0 0002.55d6.92a3) -> 192.168.0.33(3607), 1 packet
> > > 
> > > It seems that cisco_ios2dlf expects that log->{process} will contain
> > > '%SEC-6-IPACCESSLOGP' but Lire::Syslog has placed (using the above
> > > example) '83843' in log->{process} instead.
> > 
> > Lire::Syslog is confused by the asterisk (*) preceding the cisco-
> > generated time stamp "*Mar  8 17:58:46". Do you know why it is there?
> 
> Means the machine is not NTP time synced.

The fix is:

-           (?:\w\w\w\s+\d\d?\s(?:\d+\s+)?[\d:.]+(?:\s[a-z]{3})?:\s)?
+           (?:\*?\w\w\w\s+\d\d?\s(?:\d+\s+)?[\d:.]+(?:\s[a-z]{3})?:\s)?

in all/lib/Lire/Syslog.pm .

It's in CVS now, so will be included in the upcoming release.  Thanks
for your bugreport!

Bye,

Joost

-- 
.    .                                        http://logreport.com/
| '.|                        /^LogReport$/
| Lire                                        http://logreport.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.logreport.org/pipermail/questions/attachments/20040318/c082add7/attachment.bin