[j-nsp] Templates for logging from EX series

[Richard A Steenbergen]

On Wed, Jun 23, 2010 at 01:43:30PM -0400, Scott T. Cameron wrote:
> I'd recommend you not rely on Juniper to do this but instead do it
> yourself. If you output the entire contents of syslog to a syslog-ng
> server, you can do all of the intelligent filtering you need on the 
> server end.

I did it in PHP, but the concept is the same. If it saves anyone else
some time, here is how to parse a Juniper syslog message (using some
hard-coded assumptions of microseconds, explicit-priority, and UTC):

ereg("^<([^\ ]+)>([A-Za-z]{3} [0-9]{1,2} .{8}) (.*): %([^\ ]+): (.*)$", $input, $parse);

$timestamp              = strtotime(substr($parse[2], 0, 15) . " UTC");
$msg['timestamp']       = date("Y-m-d H:i:s", $timestamp);
$msg['process']         = $parse[3];
$msg['fsevent']         = $parse[4];
$msg['message']         = $parse[5];

/* Warning: logical-router messages are sometimes randomly backwards */
if ($msg['process'] == "searchforyourlrnameshere") {
        $msg['logical-router']  = "yourlrname";
        $process                = explode(":", $msg['message'], 2);
        $msg['process']         = $process[0];
        $msg['message']         = $process[1];
} else if (strpos(":", $msg['process'])) {
        $process                = explode(":", $msg['process'], 2);
        $msg['logical-router']  = $process[0];
        $msg['process']         = $process[1];
}


> Personally, I'd rather Juniper focus on fixing bugs for my SRX. :)

You don't know suffering until you've put the wife's Internet connection 
behind a buggy SRX. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)