[j-nsp] the suffering of syslog parsing
Richard A Steenbergen
ras at e-gerbil.net
Mon Apr 13 00:51:02 EDT 2009
While trying to parse syslog output from Juniper routers, I noticed two
distinct types of output when logical-routers are used. The normal
looking behavior is:
Apr 12 20:40:19 routername lrname:rpd[4737]: %DAEMON-6-RPD_LDP_SESSIONUP: LDP session 1.2.3.4 is up
Using the format "routername lrname:process: %EVENT: message".
But some other messages come up in a very different format:
Mar 30 21:23:59 routername lrname: %DAEMON-4: rpd[4737]: bgp_read_v4_message:8478: NOTIFICATION received from 1.2.3.4 (Internal AS 1234): code 6 (Cease) subcode 3 (Peer Unconfigured)
Using the format "routername lrname: %EVENT: process: message".
Obviously this is a pain to parse reliably if you don't know the name of
the LRs beforehand, and the reordering of the event/process fields in
this particular case just makes things even more fun. It looks like this
only happens then there is no specific "event" generating the log (the
kind of event you could match in event-options policies), which for me
is mostly things like trace_on/trace_rotate and a few bgp events like
the example above.
Before I spend any more time on this I'm wondering if anyone else has
dealt with these issues already, and specifically if there are any other
weird format abnormalities to handle?
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list