So first of all the CLI output is never really intended to be parsed. It's intended to be formatted so it's human readable in the console. The API is there for programatically interacting with the data.

But just for fun I ran a line of output through python's str.split() method (which handles tabs and spaces the same way) and got pretty reasonable output:

 str.split(" 10.1.1.51 80:5e:c0:37:29:e8 FON-D71-B Fortinet 12 Mon Mar 6 13:48:47 2023")
['10.1.1.51', '80:5e:c0:37:29:e8', 'FON-D71-B', 'Fortinet', '12', 'Mon', 'Mar', '6', '13:48:47', '2023']

 As predicted the date is an issue but that can be pre-processed to avoid the issue. Anyway it's possible to parse it if you really want to. But yeah just use the API.

As for the server ID column issue I'd recommend opening a TAC case so they can confirm whether it's a bug or something else and if its a bug they can get it fixed.

This forum is not intended for bug fix requests; that would definitely be TAC's job.

It doesn't really matter what you did with Python.  The output results in fields with no separator character, and as a result the columns won't even line up.  If a client uses a hostname and VDI the reader can't immediately separate from one another they'll have no way to tell which one is what regardless.  You didn't see your code malfunction because you chose super-easy test data.  ...and for the record, only amateurs "pre-process" data in the way you're suggesting.  Processing the same data twice should be considered a bug. Professional programmers would use something more like (\D{3})\s(\D{3})\s+(\d{1,2})\s(\d{1,2}:\d{2}:\d{2}\s\d{4})$ to catch the date at the end, but that wouldn't even be necessary if the entire line were simply tab-separated fields as has been a fairly common practice for oh... thirty or forty years now.

I guess I'll just stop submitting bug requests entirely since it always seems to require a detailed accounting of every aspect of our network--including the unrelated ones, followed by several phone calls, and hours spent watching someone from Tier I over a GoToMeeting window make blind guesses.

I submitted a report about a problem with multicast packets not being reported properly in SNMP mibs, and that is basically what happened.  I submitted a report about the policy check tool not showing an interface necessary to testing VPN policies, and after a couple of weeks got a suggestion to do the same thing that I had first tried which somewhat predictably still did not work.

This is just not worth my time.  I just figured other users might like to have a way to have their problems confirmed with a web search.

You wanted to parse the output. I showed you how to do it with Python. So I'n not sure why you're telling me it doesn't matter?

Anyway you have access to the API now so hopefully you're all good.

No, you showed me how to do it badly with python while continuing to pretend there was no problem at all with parsing (or even reading) malformed output.

The whole "issue" of the date was your problem, by the way.  Binding a match to the end of the line to grab a date that is being formatted correctly (or at least predictably) makes it possible to reliably extract three of the fields, and most of a fourth (hostnames longer than 20 characters will always be truncated).  Like I said in the initial post, it's just annoying that the date lacks a mention of a timezone, but after a few decades it becomes clear no one ever listens about that until they've got a massive pile of indecipherable times on their hands.

Just to be clear, your recommendation to make all of the fields tab-delimited would never be implemented. It would make the readability far worse (columns would not line up in any predictable manner). So in this case the use of mixed tabs and spaces is best used for readability. Either way, parsing is done via API as usual.

My python output was just showing you that you could parse it despite your claims to the contrary. Obviously it was just a starting point and would require a bit more work to get things separated out properly but it's possible with the start of separating out the fields using str.splt(). That's what I was tyring to show you. You are claiming it's impossible. It is not.

Timezone thing is weird.. I'm not sure why you'd want it to show it by default. I mean it's clearly in the device's time zone. Why would output be in a different timezone? When I look at my linux syslog or windows event log I'm not provided a timezone. It's implied that it would be the local device's timezone.

---

@gfleming wrote:

Just to be clear, your recommendation to make all of the fields tab-delimited would never be implemented. It would make the readability far worse (columns would not line up in any predictable manner). So in this case the use of mixed tabs and spaces is best used for readability. Either way, parsing is done via API as usual.

Let me be extra clear about this since you seem to keep ignoring me saying it...  The way things stand now, fields run into each other and fields longer than 20 characters cause everything to shift to the right which is already a legibility issue.  If I send a hostname or VDI field in a malicious lease request that contains "Any-19-characters someothernonsense " (and let me assure you this is allowed for VDI) then you've got no way to read that line correctly with 100% accuracy because I've made it utterly impossible.  If a simple change to a fully tab-separated format string "would never happen" then ya'll's company just ain't long for this earth.  You're crossing the 50% market-share threshold now which means playtime is over because your product is now an attractive target for blackhat developers who will not hand-wave away things like this.  They'll poke and prod at them until they've mapped the full scope and breadth of the problem or until a marketable vulnerability falls out.

@gfleming wrote:

My python output was just showing you that you could parse it despite your claims to the contrary. Obviously it was just a starting point and would require a bit more work to get things separated out properly but it's possible with the start of separating out the fields using str.splt(). That's what I was tyring to show you. You are claiming it's impossible. It is not.

There's a couple of things wrong with what you were doing, and I'll repeat them since you don't seem to be reading very carefully.  The first is that it was amateurish and the second was that it was wrong.  One does not parse the same data twice (because this basically guarantees you're wasting clock cycles).  Scanning subsections of that (i.e., the parts you chopped it into in the first pass) for different criteria is fine, but the same input multiple times in different ways is a hard no because it will always be inefficient and sometimes not even possible because of restrictions on the device or the data stream itself.  ...and you certainly can't use str.split on a line full of whitespace when several of those fields can themselves contain whitespace because that's just dead wrong.  Sure you can lop the date off the end of the resulting list because you know how many fields it contains, but both the VDI and the SSID can happily contain whitespace and at that point your method breaks even more.  Some people would have considered me casually posting a very long and nasty-looking regular expression (which would have been longer and nastier-looking but I didn't want to presume localization) to be a hint.  This is some stuff I've known about for more than thirty years ago when I was just a kid, so wtf man.  You're also literally relying on an admins eyeballs for the correct interpretation of the info, and those eyeballs are generally the weakest components in the entire system.  The VDI field can readily be 255 characters which is enough space for someone feeling lucky about guessing line lengths to spoof an entire second line of fake information and frankly I don't even want to know if that information still needs to be sanitized further to prevent someone from pulling a warez-kid stunt from the 90's and just starting their VDI with newline-uparrow so they can overwrite the entire line and hide their actual information.  Thanks to the existance of unicode, programmers have a reason to actually not de-taint that data right away and I didn't notice anything in the RFCs about requiring only printable ASCII.  Coding with great precision and not just going "ah it's good enough for the admin to read" eliminates ever having to ask those kinds of questions and it's literally not my job to find your vulns for you, but I can certainly think of some people whose jobs it is to at least find them.

...and I have no idea why you keep ignoring me saying that after a few results what's coming out for what should be the enumerated number of the DHCP scope which would typically be an unsigned int of no more than two characters (unless someone's staff has absolutely lost their minds with individual DHCP scopes for every port on a switch or something) is coming back as signed long integers.  I've literally got lots of numbers like -151738136 showing up in the list, and that sort of attention to detail in coding makes red-teamers breathe funny.  There is no reality in which that code is reading the correct part of the struct unless the struct itself is being constructed improperly and either of these things going unnoticed is actually quite bad (does the compiled binary somehow not even notice a segmentation problem?).  So much for trying to downplay that so as not to draw attention.

---

@gfleming wrote:

Timezone thing is weird.. I'm not sure why you'd want it to show it by default. I mean it's clearly in the device's time zone. Why would output be in a different timezone? When I look at my linux syslog or windows event log I'm not provided a timezone. It's implied that it would be the local device's timezone.  

---

There's nothing weird about that, although it's not something people used to dealing with small networks are likely to realize.  Typically people who have a network containing devices in more than one time zone work this out on their own, but over time engineers dealing with times and dates tend to learn either from being told or from having to cleaning up the resulting disastrous mess.  (Try to avoid being in the latter group.  It'll always be worse than you think.)  Timestamps should preferentially be in GMT (since it's unambiguously convertible to every other timezone) or indicate their specific time zone (including daylight saving time status) or they simply stop being unambiguous time indicators (which might make them useless or even counter-productive).  The moment you begin doing any kind of centralized logging involving multiple time zones you're pretty much just wasting storage space unless those times contain the timezone from the very start.  Four extra bytes of output is just not an exorbitant cost for making life so much easier.

I'm not going to comment on Windows, but Linux admins know the simple solution for this (beyond making sure ntpd/chrony are actively keeping the clock as accurate as possible) when one is dealing with a WAN that crosses timezones is to just go ahead and set the system's timezone to GMT (because it doesn't care!) and use /etc/profile or whatever else is handy to set the timezone for the local users using the TZ variable (because they do care).  That way there's nothing vague or confusing about any of the timestamps in the (centralized) logs and no one ever has to resort to saying "Well, it came after this event in the logs so it must have happened after that event" because that's not guaranteed to be true either thanks to (yay) physics and network latency.  Recording the time in an unambigous way might also some day prevent you from being eaten alive by defense attorneys.  Even with respect to the human interface, having the time zone right there keeps the user from having to guess or need to be reminded that it's not their timezone that they're looking at.  Some folks might find this information rather important when it comes to leases that are within an hour of expiring.

TL;DR: Store as GMT (or epoch seconds), convert to time zones only when showing the user.  Always.

All this effort in responding to me could have been spent opening a TAC case to talk about your potential server ID bug (which I did not ignore and recommended you open a TAC case as it sounded like you might be hitting a bug but you didn't want to do that because it was "not worth your time"). You've likely spent more time here than you would have with TAC.

Next, if we made all the fields tab-delimited you would be whining here again because nothing would line up at all (except the first three columns), even entries that had short VCIs. Once you hit the third column, hostnames, you'll have a lot of variety in field lengths and once you go tab-delimited from there all the following columns will be out of joint.  And yes I agree it's annoying that longer VCI fields cause misalignment but then the only soltuion there is to truncate and that would also **bleep** people off. It's not hard to recognize the next two fields as server ID and Expiry time. So it's probably the best solution as it stands to use tabs where needed and spaces where needed to make it as humanly readable as possible without losing data (i.e. truncating fields). Jumping to a conclusion that this is somehow a precursor to a security vulnerability is a bit much. And we are spending far too much time on this though. It's really not ever meant to be parsed. Please use the API. If you want VCI field to be truncated you can work with your account team to submit an NFR. 

But just to circle back on this you absolutely can parse this. There's a set number of characters between each field. It's easy to parse for each field based on these character counts regardless of if a field contains whitespace or not. But again..... it's not meant to be parsed. Use the API. And I'm laughing at you worrying about wasting clock cycles on a simple parse job. Sorry.

Again I don't know of any systems that default to showing time zones in local device output. Centralized DHCP lease logs from a Fortigate (FMG or FAZ) would work the same as your Linux syslog example. Timezones would be normalized. But again, for the use-case of having local device local output to show timezones you are free to submit an NFR if you think this would be useful to other users.