I need some help on parsing incoming data (text) for extracting "Cisco Mnemonics" in my Perl program.
Messages generated by Cisco IOS devices begin with a percent sign (%) and use the following format:
The mnemonic is a device-specific code that uniquely identifies the message such as "up", "down", "changed", "config", etc.
The "facility" in Cisco mnemonics refer to a Cisco-assigned facility, they have nothing to do with the IETF definition of a "facility" integer (0-23).
Examples of Cisco-mnemonic facilities are:
%SYS-0-SYS_LCPERR0 (SYS is the Cisco facility here)
%SYS-5-CONFIG_I: (SYS is the Cisco facility here)
%STANDBY-6-STATECHANGE: (STANDBY is the Cisco facility here)
%DOT11-7-AUTH_FAILED: (DOT11 is the Cisco facility here)
Example of incoming messages that need to be parsed:
[url removed, login to view] 164 %ASA-4-106023 Deny tcp src outside:[url removed, login to view] dst inside:[url removed, login to view] by access-group \"outside_acl\" [0x0, 0x0]
[url removed, login to view] 186 248382 : : 199050: Jul 28 10:34:13.89 UTC : %CCM_RTMT-RTMT-2-RTMT-ERROR-ALERT: RTMT Alert Name:CriticalServiceDown Detail:You better look at the cluster NOW!!! Service status is DOWN. A Cisco DB. The alert is generated on Wed Jul 28 06:34:13 EDT 2010 on node 22.214.171.124. App ID:Cisco AMC Service Cluster ID: Node ID:cm6-north-pub
[url removed, login to view] 166 Juniper 2010-07-12 15:40:41 - sdhq-ssl-02-01 - [126.96.36.199] sege\\dmcclure(Extranet)[Extranet - External Sharepoint Portal] - WebRequest ok : Host: [url removed, login to view], Request: GET /sites/GlobalSOX/Shared%20Documents/Forms/[url removed, login to view] HTTP/1.1
[url removed, login to view] 86 CRON pam_unix(cron:session): session opened for user root by (uid=0)
Note that some messages have the mnemonics, some don't. Some messages may match multiple mnemonics in the same line - I just want the first.
I've created a script to parse a sampling of logs and apply a regex pattern to them. It works...MOSTLY. I need someone to make it work PERFECTLY.
My current REGEX:
my $re_mne = qr/%(\w+.+?-[0-7]-\w+.?)[:|\s]/;
But it fails to capture properly on some messages.
I will expect you to sign a non disclosure agreement because some of my log data is from other customers.