Hi Marcus, At 09:57 AM 1/9/2002 -0500, Marcus J. Ranum wrote: >I'm working on a sort of syslog parser thingie that will be released in >a couple months. It's rule-driven and can pretty much consume anything >you throw at it (so far, anyhow...) - and of course I'm bumping up against >the numerous incompatibilities of various syslog message formats. What incompatibilities? ;-) >Does anyone have any notes on the various syslog header layouts >that are out there in the wild? I'm mostly interested in the various > >dd/mm/yy host: program[pid] >dd/mm host: program: > >type stuff. The timestamp is most often formed with strftime in the format of "%h %e %T". IOS (Cisco routers and switches) usually uses that format and also supports the appendage of various other options. You may do the following: Router(config)# service timestamps log datetime ? localtime Use local time zone for timestamps msec Include milliseconds in timestamp show-timezone Add time zone information to timestamp <cr> Adding any of those options will change the format somewhat. Adding msec will append a decimal and 3 characters of milli- second information after the time. Such as 11 Jan 09:10:11 becomes 11 Jan 09:10:11.123 Inserting uptime is an option in IOS as well. You can do that with a config line of service timestamp log uptime That can be combined with the datetime options to form all sorts of really funny looking log entries. Many of our routers don't have hardware clocks. They will boot up with the knowledge that it is just past midnight (UTC) on Monday, March 1, 1993. (I'm not sure that's consistent with all routers but that's what my 2500 says.) When they do this, the time may be corrected either through "clock set ..." or through ntp. If the router doesn't get an authoritative adjustment, then it will prepend the timestamp in the syslog messages with an asterisk. syslog servers will not recognize this as a correctly formatted timestamp and will mangle it appropriately. The "program" information in IOS is usually some additional information to the source of the generator of the message. It starts with "%" and ends with a ":" such as "%SYS-5-CONFIG_I: ". The first part is usually the name of the subsystem, the middle part is the severity value (repeated since it's also in the PRI), and the third part gives a bit more detail of what's going on. The PID is left off since there is no concept of that in IOS. >Less interested in the message contents - that's another >problem for another day. :) > >Off-topic: whatEVER were they thinking when they didn't include the >_year_ in syslog messages? Eesh... I talked to Eric Allman about that. He was thinking that the information in the message was ephemeral; no one was ever really going to need to archive those things for very long. ;-) Best of Luck, Chris --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Sun Jan 13 2002 - 15:22:07 PST