Parse-Syslog-1.10/0000755000175000017500000000000010735752710012146 5ustar dwsdwsParse-Syslog-1.10/META.yml0000644000175000017500000000046710735752710013426 0ustar dwsdws# http://module-build.sourceforge.net/META-spec.html #XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX# name: Parse-Syslog version: 1.10 version_from: lib/Parse/Syslog.pm installdirs: site requires: distribution_type: module generated_by: ExtUtils::MakeMaker version 6.30_01 Parse-Syslog-1.10/Changes0000644000175000017500000000462610735752310013445 0ustar dwsdwsRevision history for Perl extension Parse::Syslog. 2007-12-30 * release 1.10 * DST-handling bugfix 2006-01-01 * release 1.09 * t/dst.t: don't use IO::Scalar if not available * fix '-' for STDIN 2005-12-31 * release 1.08 * really fix the DST-handling code (thanks a lot to Randy Smith for the debugging) 2005-12-29 * released 1.06 * fix dst.t test to work when the system timezone is not CET * small documentation fixes 2005-12-26 * released 1.05 * allow passing of a IO::Handle object to new * ignore FreeBSD's [LOG_XXX] string (Artur Penttinen) * fix timewarp during DST switch (reported by Anthony DeRobertis) 2005-09-12 * internal release 1.04 * allow : in hostname for IPv6 (Artur Penttinen) * allow @ in hostname for syslog-ng (Mark Loeser) 2004-07-11 * released 1.03 * support for metalog (based on code by Ralf Geschke) * support FreeBSD's verbose logging 2004-01-19 * do not allow future dates (if allow_future is not true) 2002-10-28 * released 1.02 * fix off-by-one-hour error when running during daylight saving time switch 2002-05-25 * released 1.01 * added support for localized month names (uchum@mail.ru) 2002-05-02 * released 1.00 * HP-UX fixes (reported by Peter.Barlow@accenture.com) 2002-04-17 * parse 'above message repeats xx times' 2002-01-29 * released 0.05 * allow space in program name (reported by alian@cpan.org) * low-case month names (reported by alian@cpan.org) * ignore '-- MARK --' (reported by alian@cpan.org) 2001-10-30 * released 0.04 * repeat "last-message-repeated xx times" for the same host * more robust year-increment algorithm * implemented arrayref option * faster time parsing (cache of timestamp for same day) 2001-08-20 * released 0.03 * implemented GMT option (scoobie@PamperedChef.dhs.org) * add year specification to test scripts * add better test for Solaris 8 message-id * add support for File::Tail objects * test 'last message repeated xx times' without message to repeat 2001-08-19 * released 0.02 * fix 'last message repeated xx times' without message to repeat * fix Solaris 8 message-id (include numbers in regex for local0, etc.) 2001-08-12 * released 0.01 * created by h2xs 1.21 with options -AX -n Parse::Syslog Parse-Syslog-1.10/t/0000755000175000017500000000000010735752710012411 5ustar dwsdwsParse-Syslog-1.10/t/metalog.t0000644000175000017500000000147510677650754014247 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 4 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/metalog-syslog", year=>2004, type=>'metalog'); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/locale-syslog0000644000175000017500000000034510677650750015121 0ustar dwsdwsMai 12 06:55:06 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4 Jun 7 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Dez 7 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Parse-Syslog-1.10/t/misc-syslog0000644000175000017500000000015010677650745014613 0ustar dwsdwsApr 24 19:09:40 remedy : su : + tty?? root-oracle Apr 26 20:08:47 remedy above message repeats 2 times Parse-Syslog-1.10/t/solaris26-syslog0000644000175000017500000000156210677650743015512 0ustar dwsdwsAug 7 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Aug 7 22:11:19 otaniemi.ee.ethz.ch last message repeated 8 times Aug 7 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Aug 7 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: <--- 200 Aug 7 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: NOOP command successful. Aug 7 22:11:24 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Aug 7 22:12:09 otaniemi.ee.ethz.ch last message repeated 9 times Aug 7 22:12:11 tardis-a3.ee.ethz.ch sshd[16925]: Could not reverse map address 129.132.166.193. Aug 7 22:12:11 testhost -- MARK -- Aug 7 22:12:11 tardis-a3.ee.ethz.ch sshd[16925]: Accepted password for haemmluk from 129.132.166.193 port 50395 Aug 7 22:12:14 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Parse-Syslog-1.10/t/filetail.t0000644000175000017500000000167010677650762014404 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { # only test if File::Tail is installed eval 'require File::Tail;' or do { plan tests => 0; exit; }; plan tests => 2; }; use File::Tail; use Parse::Syslog; ok(1); # If we made it this far, we're ok. my $ft = File::Tail->new(name=>'t/linux-syslog', tail=>-1); my $parser = Parse::Syslog->new($ft, year=>2001); open(PARSED, "next; my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); # vim: set filetype=perl: Parse-Syslog-1.10/t/locale-parsed0000644000175000017500000000062310677650750015056 0ustar dwsdwstime : Sat May 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Thu Jun 7 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M time : Fri Dec 7 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M Parse-Syslog-1.10/t/solaris28-syslog0000644000175000017500000000075210677650727015516 0ustar dwsdwsAug 6 08:00:55 jobis mountd[335]: [ID 664212 daemon.error] No default domain set Aug 7 13:15:12 jobis sshd[27321]: [ID 800047 daemon.crit] fatal: Timeout before authentication for 192.168.1.1 Aug 7 16:45:51 jobis cvs_server: [ID 702911 daemon.notice] connection from test [192.168.1.1] to /usr/test Aug 7 16:49:03 jobis last message repeated 11 times Aug 18 14:56:03 bigbang.ee.ethz.ch snort: [ID 381826 local5.info] IDS278/dns_named-probe-version: 211.20.98.98:3656 -> 129.132.20.8:53 Parse-Syslog-1.10/t/solaris26-parsed0000644000175000017500000000740710677650727015456 0ustar dwsdwstime : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:10:39 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M time : Tue Aug 7 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : <--- 200 time : Tue Aug 7 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : NOOP command successful. time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:11:24 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Aug 7 22:12:11 2001 host : tardis-a3.ee.ethz.ch program : sshd pid : 16925 text : Could not reverse map address 129.132.166.193. time : Tue Aug 7 22:12:11 2001 host : tardis-a3.ee.ethz.ch program : sshd pid : 16925 text : Accepted password for haemmluk from 129.132.166.193 port 50395 time : Tue Aug 7 22:12:14 2001 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 Parse-Syslog-1.10/t/locale.t0000644000175000017500000000176610677650750014055 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { # only test if de_DE is available eval 'use POSIX qw(locale_h); setlocale(LC_TIME, "de_DE")' or do { plan tests => 0; warn "Locale 'de_DE' not available: locale test skipped.\n"; exit; }; plan tests => 4 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/locale-syslog", year=>2001, locale=>'de_DE'); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/solaris28-parsed0000644000175000017500000000562110677650727015454 0ustar dwsdwstime : Mon Aug 6 08:00:55 2001 host : jobis program : mountd pid : 335 msgid : 664212 facility: daemon level : error text : No default domain set time : Tue Aug 7 13:15:12 2001 host : jobis program : sshd pid : 27321 msgid : 800047 facility: daemon level : crit text : fatal: Timeout before authentication for 192.168.1.1 time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Tue Aug 7 16:45:51 2001 host : jobis program : cvs_server pid : undef msgid : 702911 facility: daemon level : notice text : connection from test [192.168.1.1] to /usr/test time : Sat Aug 18 14:56:03 2001 host : bigbang.ee.ethz.ch program : snort pid : undef msgid : 381826 facility: local5 level : info text : IDS278/dns_named-probe-version: 211.20.98.98:3656 -> 129.132.20.8:53 Parse-Syslog-1.10/t/metalog-parsed0000644000175000017500000000066210677650754015256 0ustar dwsdwstime : Fri Oct 1 11:30:56 2004 host : localhost program : amavis pid : undef text : (23837-08) TIMING [total 1101 ms] - SMTP EHLO: 1 (0%), SMTP pre-MAIL: 0 (0%) time : Fri Oct 1 11:30:56 2004 host : localhost program : postfix/smtp pid : undef text : 5FC753D3A6: to= time : Fri Oct 1 11:30:59 2004 host : localhost program : postfix/smtpd pid : undef text : disconnect from x Parse-Syslog-1.10/t/dst.t0000644000175000017500000000300310677650777013403 0ustar dwsdwsuse lib 'lib'; use Parse::Syslog; use Test; use POSIX; use Time::Local; BEGIN { # only test if IO::Scalar is available eval 'require IO::Scalar;' or do { plan tests => 0; warn "IO::Scalar not available: test skipped.\n"; exit; }; if($Time::Local::VERSION lt '1.07_94') { warn "Time::Local too old for DST-switch code to work (is: $Time::Local::VERSION, must be: 1.07_94)"; plan test => 0; exit; } plan tests => 20 }; $ENV{TZ} = 'CET-1CEST-2,M3.5.0/02:00:00,M10.5.0/03:00:00'; POSIX::tzset(); my $data = <new(\$data); my $parser = Parse::Syslog->new($file, year=>2005); my $result = <next) { # check that we get the correct localtime where a timewarp is noticeable # but always an increasing timestamp my $lt = localtime($sl->{timestamp}); ok($lt, shift @result); ok($sl->{timestamp} > $last_t); $last_t = $sl->{timestamp}; } # vim: ft=perl Parse-Syslog-1.10/t/solaris26.t0000644000175000017500000000146210677650727014437 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 26 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/solaris26-syslog", year=>2001); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/linux-syslog0000644000175000017500000000157410677650743015030 0ustar dwsdwsAug 12 06:55:36 hathi last message repeated 6 times Aug 12 06:55:06 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4 Aug 12 06:55:36 hathi last message repeated 6 times Aug 12 06:56:36 hathi last message repeated 12 times Aug 12 06:59:16 hathi last message repeated 8 times Aug 12 06:59:19 avalon avalon snort[2176]: IDS552/web-iis_IIS ISAPI Overflow ida: 212.217.33.195:4850 -> 192.168.17.1:80 Aug 12 06:59:19 avalon avalon snort[2176]: IDS243/web-cgi_http-cgi-pipe: 212.217.33.195:4850 -> 192.168.17.1:80 Aug 12 06:59:21 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4 Aug 12 06:59:56 hathi last message repeated 7 times Aug 12 07:00:01 hathi sshd[1966]: error: Hm, dispatch protocol error: type 32 plen 4 jan 27 18:59:28 saturne keytable: Loading keymap: fr-latin1 succeeded Jan 28 16:51:28 pluton syslogd 1.3-3#33.1: restart (remote reception). Parse-Syslog-1.10/t/yearchange-syslog0000644000175000017500000000310310677650745015767 0ustar dwsdwsDec 31 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Jan 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Dec 31 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Jan 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Feb 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Dec 31 22:11:21 tardis-a1.ee.ethz.ch ftpd[14025]: FTPD: command: NOOP^M Jan 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Feb 28 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Mar 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Apr 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 May 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Jun 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Jul 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Aug 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Sep 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Oct 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Nov 1 22:10:39 otaniemi.ee.ethz.ch sshd[1517]: error: Hm, dispatch protocol error: type 32 plen 4 Parse-Syslog-1.10/t/yearchange-parsed0000644000175000017500000000503410677650745015732 0ustar dwsdwstime : Mon Dec 31 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M time : Tue Jan 1 22:10:39 2002 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Mon Dec 31 22:11:21 2001 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M time : Tue Jan 1 22:10:39 2002 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Fri Feb 1 22:10:39 2002 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Dec 31 22:11:21 2002 host : tardis-a1.ee.ethz.ch program : ftpd pid : 14025 text : FTPD: command: NOOP^M time : Wed Jan 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Fri Feb 28 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sat Mar 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Apr 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Thu May 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Jun 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Tue Jul 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Fri Aug 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Mon Sep 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Wed Oct 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sat Nov 1 22:10:39 2003 host : otaniemi.ee.ethz.ch program : sshd pid : 1517 text : error: Hm, dispatch protocol error: type 32 plen 4 Parse-Syslog-1.10/t/misc.t0000644000175000017500000000144310677650745013545 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 4 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/misc-syslog", year=>2002); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/io-stringy.t0000644000175000017500000000154310677650762014716 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { # only test if IO::Scalar is available eval 'require IO::Scalar;' or do { plan tests => 0; warn "IO::Scalar not available: test skipped.\n"; exit; }; plan tests => 2 }; use Parse::Syslog; use IO::Scalar; my $data = <new(\$data); my $parser = Parse::Syslog->new($file, year=>2001); ok(1); $sl = $parser->next; my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; #print "$is"; my $shouldbe = < 41 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/linux-syslog", year=>2001, GMT=>1); open(PARSED, "next) { my $is = ''; $is .= "time : ".(gmtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/solaris28.t0000644000175000017500000000175110677650727014442 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 16 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/solaris28-syslog", year=>2001); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "msgid : $sl->{msgid}\n"; $is .= "facility: $sl->{facility}\n"; $is .= "level : $sl->{level}\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/yearchange.t0000644000175000017500000000146510677650745014724 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 18 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/yearchange-syslog", year=>2001); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/linux.t0000644000175000017500000000144610677650743013752 0ustar dwsdwsuse Test; use lib "lib"; BEGIN { plan tests => 41 }; use Parse::Syslog; ok(1); # If we made it this far, we're ok. ######################### my $parser = Parse::Syslog->new("t/linux-syslog", year=>2001); open(PARSED, "next) { my $is = ''; $is .= "time : ".(localtime($sl->{timestamp}))."\n"; $is .= "host : $sl->{host}\n"; $is .= "program : $sl->{program}\n"; $is .= "pid : ".(defined $sl->{pid} ? $sl->{pid} : 'undef')."\n"; $is .= "text : $sl->{text}\n"; $is .= "\n"; print "$is"; my $shouldbe = ''; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; $shouldbe .= ; ok($is, $shouldbe); } # vim: set filetype=perl: Parse-Syslog-1.10/t/linux-parsed0000644000175000017500000001317410677650743014765 0ustar dwsdwstime : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:55:06 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:19 2001 host : avalon program : snort pid : 2176 text : IDS552/web-iis_IIS ISAPI Overflow ida: 212.217.33.195:4850 -> 192.168.17.1:80 time : Sun Aug 12 06:59:19 2001 host : avalon program : snort pid : 2176 text : IDS243/web-cgi_http-cgi-pipe: 212.217.33.195:4850 -> 192.168.17.1:80 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 06:59:21 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sun Aug 12 07:00:01 2001 host : hathi program : sshd pid : 1966 text : error: Hm, dispatch protocol error: type 32 plen 4 time : Sat Jan 27 18:59:28 2001 host : saturne program : keytable pid : undef text : Loading keymap: fr-latin1 succeeded time : Sun Jan 28 16:51:28 2001 host : pluton program : syslogd 1.3-3#33.1 pid : undef text : restart (remote reception). Parse-Syslog-1.10/t/metalog-syslog0000644000175000017500000000032410677650754015313 0ustar dwsdwsOct 1 11:30:56 [amavis] (23837-08) TIMING [total 1101 ms] - SMTP EHLO: 1 (0%), SMTP pre-MAIL: 0 (0%) Oct 1 11:30:56 [postfix/smtp] 5FC753D3A6: to= Oct 1 11:30:59 [postfix/smtpd] disconnect from x Parse-Syslog-1.10/Makefile.PL0000644000175000017500000000100310677650727014124 0ustar dwsdwsuse ExtUtils::MakeMaker; # See lib/ExtUtils/MakeMaker.pm for details of how to influence # the contents of the Makefile that is written. WriteMakefile( 'NAME' => 'Parse::Syslog', 'VERSION_FROM' => 'lib/Parse/Syslog.pm', # finds $VERSION 'PREREQ_PM' => {}, # e.g., Module::Name => 1.1 ($] >= 5.005 ? ## Add these new keywords supported since 5.005 (ABSTRACT_FROM => 'lib/Parse/Syslog.pm', # retrieve abstract from module AUTHOR => 'David Schweikert ') : ()), ); Parse-Syslog-1.10/lib/0000755000175000017500000000000010735752710012714 5ustar dwsdwsParse-Syslog-1.10/lib/Parse/0000755000175000017500000000000010735752710013766 5ustar dwsdwsParse-Syslog-1.10/lib/Parse/Syslog.pm0000644000175000017500000003725310735752332015616 0ustar dwsdwspackage Parse::Syslog; use Carp; use Symbol; use Time::Local; use IO::File; use strict; use vars qw($VERSION); $VERSION = '1.10'; my %months_map = ( 'Jan' => 0, 'Feb' => 1, 'Mar' => 2, 'Apr' => 3, 'May' => 4, 'Jun' => 5, 'Jul' => 6, 'Aug' => 7, 'Sep' => 8, 'Oct' => 9, 'Nov' =>10, 'Dec' =>11, 'jan' => 0, 'feb' => 1, 'mar' => 2, 'apr' => 3, 'may' => 4, 'jun' => 5, 'jul' => 6, 'aug' => 7, 'sep' => 8, 'oct' => 9, 'nov' =>10, 'dec' =>11, ); sub is_dst_switch($$$) { my ($self, $t, $time) = @_; # calculate the time in one hour and see if the difference is 3600 seconds. # if not, we are in a dst-switch hour # note that right now we only support 1-hour dst offsets # cache the result if(defined $self->{is_dst_switch_last_hour} and $self->{is_dst_switch_last_hour} == $t->[3]<<5+$t->[2]) { return @{$self->{is_dst_switch_result}}; } # calculate a number out of the day and hour to identify the hour $self->{is_dst_switch_last_hour} = $t->[3]<<5+$t->[2]; # calculating hour+1 (below) is a problem if the hour is 23. as far as I # know, nobody does the DST switch at this time, so just assume it isn't # DST switch if the hour is 23. if($t->[2]==23) { @{$self->{is_dst_switch_result}} = (0, undef); return @{$self->{is_dst_switch_result}}; } # let's see the timestamp in one hour # 0: sec, 1: min, 2: h, 3: day, 4: month, 5: year my $time_plus_1h = timelocal($t->[0], $t->[1], $t->[2]+1, $t->[3], $t->[4], $t->[5]); if($time_plus_1h - $time > 4000) { @{$self->{is_dst_switch_result}} = (3600, $time-$time%3600+3600); } else { @{$self->{is_dst_switch_result}} = (0, undef); } return @{$self->{is_dst_switch_result}}; } # fast timelocal, cache minute's timestamp # don't cache more than minute because of daylight saving time switch # 0: sec, 1: min, 2: h, 3: day, 4: month, 5: year sub str2time($$$$$$$$) { my $self = shift @_; my $GMT = pop @_; my $lastmin = $self->{str2time_lastmin}; if(defined $lastmin and $lastmin->[0] == $_[1] and $lastmin->[1] == $_[2] and $lastmin->[2] == $_[3] and $lastmin->[3] == $_[4] and $lastmin->[4] == $_[5]) { $self->{last_time} = $self->{str2time_lastmin_time} + $_[0]; return $self->{last_time} + ($self->{dst_comp}||0); } my $time; if($GMT) { $time = timegm(@_); } else { $time = timelocal(@_); } # compensate for DST-switch # - if a timewarp is detected (1:00 -> 1:30 -> 1:00): # - test if we are in a DST-switch-hour # - compensate if yes # note that we assume that the DST-switch goes like this: # time 1:00 1:30 2:00 2:30 2:00 2:30 3:00 3:30 # stamp 1 2 3 4 3 3 7 8 # comp. 0 0 0 0 2 2 0 0 # result 1 2 3 4 5 6 7 8 # old Time::Local versions behave differently (1 2 5 6 5 6 7 8) if(!$GMT and !defined $self->{dst_comp} and defined $self->{last_time} and $self->{last_time}-$time > 1200 and $self->{last_time}-$time < 3600) { my ($off, $until) = $self->is_dst_switch(\@_, $time); if($off) { $self->{dst_comp} = $off; $self->{dst_comp_until} = $until; } } if(defined $self->{dst_comp_until} and $time > $self->{dst_comp_until}) { delete $self->{dst_comp}; delete $self->{dst_comp_until}; } $self->{str2time_lastmin} = [ @_[1..5] ]; $self->{str2time_lastmin_time} = $time-$_[0]; $self->{last_time} = $time; return $time+($self->{dst_comp}||0); } sub _use_locale($) { use POSIX qw(locale_h strftime); my $old_locale = setlocale(LC_TIME); for my $locale (@_) { croak "new(): wrong 'locale' value: '$locale'" unless setlocale(LC_TIME, $locale); for my $month (0..11) { $months_map{strftime("%b", 0, 0, 0, 1, $month, 96)} = $month; } } setlocale(LC_TIME, $old_locale); } sub new($$;%) { my ($class, $file, %data) = @_; croak "new() requires one argument: file" unless defined $file; %data = () unless %data; if(not defined $data{year}) { $data{year} = (localtime(time))[5]+1900; } $data{type} = 'syslog' unless defined $data{type}; $data{_repeat}=0; if(UNIVERSAL::isa($file, 'IO::Handle')) { $data{file} = $file; } elsif(UNIVERSAL::isa($file, 'File::Tail')) { $data{file} = $file; $data{filetail}=1; } elsif(! ref $file) { if($file eq '-') { my $io = new IO::Handle; $data{file} = $io->fdopen(fileno(STDIN),"r"); } else { $data{file} = new IO::File($file, "<"); defined $data{file} or croak "can't open $file: $!"; } } else { croak "argument must be either a file-name or an IO::Handle object."; } if(defined $data{locale}) { if(ref $data{locale} eq 'ARRAY') { _use_locale @{$data{locale}}; } elsif(ref $data{locale} eq '') { _use_locale $data{locale}; } else { croak "'locale' parameter must be scalar or array of scalars"; } } return bless \%data, $class; } sub _year_increment($$) { my ($self, $mon) = @_; # year change if($mon==0) { $self->{year}++ if defined $self->{_last_mon} and $self->{_last_mon} == 11; $self->{enable_year_decrement} = 1; } elsif($mon == 11) { if($self->{enable_year_decrement}) { $self->{year}-- if defined $self->{_last_mon} and $self->{_last_mon} != 11; } } else { $self->{enable_year_decrement} = 0; } $self->{_last_mon} = $mon; } sub _next_line($) { my $self = shift; my $f = $self->{file}; if(defined $self->{filetail}) { return $f->read; } else { return $f->getline; } } sub _next_syslog($) { my ($self) = @_; while($self->{_repeat}>0) { $self->{_repeat}--; return $self->{_repeat_data}; } my $file = $self->{file}; line: while(defined (my $str = $self->_next_line)) { # date, time and host $str =~ /^ (\S{3})\s+(\d+) # date -- 1, 2 \s (\d+):(\d+):(\d+) # time -- 3, 4, 5 (?:\s<\w+\.\w+>)? # FreeBSD's verbose-mode \s ([-\w\.\@:]+) # host -- 6 \s+ (?:\[LOG_[A-Z]+\]\s+)? # FreeBSD (.*) # text -- 7 $/x or do { warn "WARNING: line not in syslog format: $str"; next line; }; my $mon = $months_map{$1}; defined $mon or croak "unknown month $1\n"; $self->_year_increment($mon); # convert to unix time my $time = $self->str2time($5,$4,$3,$2,$mon,$self->{year}-1900,$self->{GMT}); if(not $self->{allow_future}) { # accept maximum one day in the present future if($time - time > 86400) { warn "WARNING: ignoring future date in syslog line: $str"; next line; } } my ($host, $text) = ($6, $7); # last message repeated ... times if($text =~ /^(?:last message repeated|above message repeats) (\d+) time/) { next line if defined $self->{repeat} and not $self->{repeat}; next line if not defined $self->{_last_data}{$host}; $1 > 0 or do { warn "WARNING: last message repeated 0 or less times??\n"; next line; }; $self->{_repeat}=$1-1; $self->{_repeat_data}=$self->{_last_data}{$host}; return $self->{_last_data}{$host}; } # marks next if $text eq '-- MARK --'; # some systems send over the network their # hostname prefixed to the text. strip that. $text =~ s/^$host\s+//; # discard ':' in HP-UX 'su' entries like this: # Apr 24 19:09:40 remedy : su : + tty?? root-oracle $text =~ s/^:\s+//; $text =~ /^ ([^:]+?) # program -- 1 (?:\[(\d+)\])? # PID -- 2 :\s+ (?:\[ID\ (\d+)\ ([a-z0-9]+)\.([a-z]+)\]\ )? # Solaris 8 "message id" -- 3, 4, 5 (.*) # text -- 6 $/x or do { warn "WARNING: line not in syslog format: $str"; next line; }; if($self->{arrayref}) { $self->{_last_data}{$host} = [ $time, # 0: timestamp $host, # 1: host $1, # 2: program $2, # 3: pid $6, # 4: text ]; } else { $self->{_last_data}{$host} = { timestamp => $time, host => $host, program => $1, pid => $2, msgid => $3, facility => $4, level => $5, text => $6, }; } return $self->{_last_data}{$host}; } return undef; } sub _next_metalog($) { my ($self) = @_; my $file = $self->{file}; line: while(my $str = $self->_next_line) { # date, time and host $str =~ /^ (\S{3})\s+(\d+) # date -- 1, 2 \s (\d+):(\d+):(\d+) # time -- 3, 4, 5 # host is not logged \s+ (.*) # text -- 6 $/x or do { warn "WARNING: line not in metalog format: $str"; next line; }; my $mon = $months_map{$1}; defined $mon or croak "unknown month $1\n"; $self->_year_increment($mon); # convert to unix time my $time = $self->str2time($5,$4,$3,$2,$mon,$self->{year}-1900,$self->{GMT}); my $text = $6; $text =~ /^ \[(.*?)\] # program -- 1 # no PID \s+ (.*) # text -- 2 $/x or do { warn "WARNING: text line not in metalog format: $text ($str)"; next line; }; if($self->{arrayref}) { return [ $time, # 0: timestamp 'localhost', # 1: host $1, # 2: program undef, # 3: (no) pid $2, # 4: text ]; } else { return { timestamp => $time, host => 'localhost', program => $1, text => $2, }; } } return undef; } sub next($) { my ($self) = @_; if($self->{type} eq 'syslog') { return $self->_next_syslog(); } elsif($self->{type} eq 'metalog') { return $self->_next_metalog(); } croak "Internal error: unknown type: $self->{type}"; } 1; __END__ =head1 NAME Parse::Syslog - Parse Unix syslog files =head1 SYNOPSIS my $parser = Parse::Syslog->new( '/var/log/syslog', year => 2001); while(my $sl = $parser->next) { ... access $sl->{timestamp|host|program|pid|text} ... } =head1 DESCRIPTION Unix syslogs are convenient to read for humans but because of small differences between operating systems and things like 'last message repeated xx times' not very easy to parse by a script. Parse::Syslog presents a simple interface to parse syslog files: you create a parser on a file (with B) and call B to get one line at a time with Unix-timestamp, host, program, pid and text returned in a hash-reference. =head2 Constructing a Parser B requires as first argument a source from where to get the syslog lines. It can be: =over 4 =item * a file-name for the syslog-file to be parsed. =item * an IO::Handle object. =item * a File::Tail object as first argument, in which case the I method will be called to get lines to process. =back After the file-name (or File::Tail object), you can specify options as a hash. The following options are defined: =over 8 =item B Format of the "syslog" file. Can be one of: =over 8 =item I Traditional "syslog" (default) =item I Metalog (see http://metalog.sourceforge.net/) =back =item B Syslog files usually do store the time of the event without year. With this option you can specify the start-year of this log. If not specified, it will be set to the current year. =item B If this option is set, the time in the syslog will be converted assuming it is GMT time instead of local time. =item B Parse::Syslog will by default repeat xx times events that are followed by messages like 'last message repeated xx times'. If you set this option to false, it won't do that. =item B If this option is true, I will return an array-ref instead of a hash-ref (and is thus a bit faster), with the following contents: =over 4 =item 0: timestamp =item 1: host =item 2: program =item 3: pid =item 4: text =back =item B Optional. Specifies an additional locale name or the array of locale names for the parsing of log files with national characters. =item B If true will allow for timestamps in the future. Otherwise timestamps of one day in the future and more will not be returned (as a safety measure against wrong configurations, bogus --year arguments, etc.) =back =head2 Parsing the file The file is parse one line at a time by calling the B method, which returns a hash-reference containing the following keys: =over 10 =item B Unix timestamp for the event. =item B Host-name where the event did happen. =item B Program-name of the program that generated the event. =item B PID of the Program that generated the event. This information is not always available for every operating system. =item B Text description of the event. =item B Message numeric identifier, available only on Solaris >= 8 with "message ID generation" enabled". =item B Log facility name, available only on Solaris >= 8 with "message ID generation" enabled". =item B Log level, available only on Solaris >= 8 with "message ID generation" enabled". =back =head2 BUGS There are many small differences in the syslog syntax between operating systems. This module has been tested for syslog files produced by the following operating systems: Debian GNU/Linux 2.4 (sid) Solaris 2.6 Solaris 8 Report problems for these and other operating systems to the author. =head1 COPYRIGHT Copyright (c) 2001, Swiss Federal Institute of Technology, Zurich. All Rights Reserved. =head1 LICENSE This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself. =head1 AUTHOR David Schweikert =head1 HISTORY 2001-08-12 ds 0.01 first version 2001-08-19 ds 0.02 fix 'last message repeated xx times', Solaris 8 problems 2001-08-20 ds 0.03 implemented GMT option, year specification, File::Tail 2001-10-31 ds 0.04 faster time parsing, implemented 'arrayref' option, better time-increment algorithm 2002-01-29 ds 0.05 ignore -- MARK -- lines, low-case months, space in program names 2002-05-02 ds 1.00 HP-UX fixes, parse 'above message repeats xx times' 2002-05-25 ds 1.01 added support for localized month names (uchum@mail.ru) 2002-10-28 ds 1.02 fix off-by-one-hour error when running during daylight saving time switch 2004-01-19 ds 1.03 do not allow future dates (if allow_future is not true) 2004-07-11 ds 1.04 added support for type 'metalog' 2005-12-24 ds 1.05 allow passing of a IO::Handle object to new =cut # vi: sw=4 et Parse-Syslog-1.10/MANIFEST0000644000175000017500000000077010677650764013316 0ustar dwsdwsChanges Makefile.PL MANIFEST README lib/Parse/Syslog.pm t/filetail.t t/gmt.t t/linux.t t/linux-syslog t/linux-parsed t/metalog.t t/metalog-syslog t/metalog-parsed t/misc.t t/misc-parsed t/misc-syslog t/solaris26.t t/solaris26-syslog t/solaris26-parsed t/solaris28.t t/solaris28-syslog t/solaris28-parsed t/yearchange.t t/yearchange-syslog t/yearchange-parsed t/locale.t t/locale-parsed t/locale-syslog t/dst.t t/io-stringy.t META.yml Module meta-data (added by MakeMaker) Parse-Syslog-1.10/README0000644000175000017500000000170310677650727013041 0ustar dwsdwsParse/Syslog ============ DESCRIPTION Unix syslogs are convenient to read for humans but because of small differences between operating systems and things like 'last message repeated xx times' not very easy to parse by a script. Parse::Syslog presents a simple interface to parse syslog files: you create a parser on a file (with new) and call next to get one line at a time with Unix-timestamp, host, program, pid and text returned in a hash-reference. INSTALLATION To install this module type the following: perl Makefile.PL make make test make install DOCUMENTATION The documentation is embedded in the module itself. Type 'perldoc lib/Parse/Syslog.pm' (or 'man Parse::Syslog' if the man-page was installed) to see it. COPYRIGHT AND LICENCE Copyright (c) 2001, Swiss Federal Institute of Technology, Zurich. All Rights Reserved. This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.