NAME¶

Lire::Syslog - syslog style lines parser

SYNOPSIS¶

use Lire::Syslog; my $parser = new Lire::Syslog; my $rec = $parser->parse( $line );

DESCRIPTION¶

This module defines objects able to parse logs coming from several flavours of logging daemon. It currently supports the following syslog file formats:

Classic BSD syslog daemon

The "classic" BSD syslog format:

 

    MMM DD HH:MM:SS Hostname Message
    

Solaris 8 syslog daemon

The Solaris 8 syslog daemon also includes the facility and level:

 

    MMM DD HH:MM:SS Hostname Process[Pid]: [ID DDDDDD Facility.Level] Message
    

Netscape Messaging Server logging daemon

The syslog daemon that comes with Netscape Messaging Server uses a date in common log format:

 

    [DD/MMM/YYYY:HH:MM:SS +ZZZZ] Hostname Process[Pid]: Facility Level: Message
    

WebTrends syslog daemon

The format used by the syslog daemon that comes with WebTrends:

 

    WTsyslog[YYYY-MM-DD HH:MM:SS ip=HOSTNAME pri=WT_PRIORITY] <XX>Message
    

Kiwi Syslog (ISO date format)

The ISO log file formats used by the Kiwi Syslog daemon (http://www.kiwisyslog.com/info_sysd.htm), a logging daemon often encountered on Win32 platforms:

 

    YYYY-MM-DD HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message
    

Kiwi Syslog (US date format)

The US date format used by the Kiwi Syslog daemon:

 

    MM-DD-YYYY HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message
    

Kiwi Syslog (DD-MM-YYY date format)

The DD-MM-YYYY date format used by the Kiwi Syslog daemon:

 

    DD-MM-YYYY HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message
    

Sendmail Switch logging daemon

The format used by the logging daemon coming with Sendmail Switch on Win32 platforms:

 

    MM/DD/YY HH:MM:SS Process(Pid): Level: Message
    

RFC 3164-compliant Syslog daemon

A format from RFC 3164-compliant Syslog daemons which includes the encoded priority and the year in the date. RFC 3164 defines the "BSD Syslog Protocol".

 

    <Priority>MMM DD YYYY HH:MM:SS: Process[Pid]: Message
    

The first time the parse() method is used, the parser will try each of the supported formats to detect the syslog format. If no format matches, the module will call lr_err() and abort the program. Each other parse() invocation will use the same format. The parse() method will return an hash reference which contains the following keys:

timestamp

The timestamp of the event.

hostname

The name or IP address of the host that sended the message.

process

The "process" that logged the event. Formally, the syslog message doesn't contain a process field but its usually the first word coming before a colon in the message's content.

pid

The PID of the process that logged the event. This is usually what is between [] in the process part of the message.

identifier

This key is only present when the log comes from a Solaris 8 syslog daemon. It contains the identifier that comes after ID in the message.

facility

The syslog facility (kern, mail, local0, etc.) of the message. This isn't supported in all file formats so this key might be unavailable.

level

The syslog level (emerg, info, notice, etc. ) of the message. This isn't supported in all file formats so this key might be unavailable.

content

The actual syslog message (with the process and pid removed). Many network devices will also have another BSD-style timestamp at the beginning of the message. If present, it will also be removed.

USAGE¶

 package Lire::Foo;
 use base qw/ Lire::Syslog /;
 sub parse {
    my $self = shift;
    my $line = shift;
    # this runs parse from Lire::Syslog, setting keys like 'day', 'process'
    # and 'hostname'
    my $rec = $self->SUPER::parse($line);
    $rec->{'foo'} = dosomethingwith( $rec->{'content'} );
    return $rec
 }

Now, one can run in a script

 my $parser = new Lire::Foo();
 while ( <> ) {
    chomp;
    my $log = $parser->parse( $line );
 }

which sets $log->{'day'}, ... $log->{'process'} and $log->{'foo'}.

SEE ALSO¶

Lire::Email(3)

AUTHORS¶

  Joost van Baal, Francis J. Lacoste.  Initial idea by Joost Kooij

VERSION¶

$Id: Syslog.pm,v 1.15 2006/07/23 13:16:30 vanbaal Exp $

COPYRIGHT¶

Copyright (C) 2000-2002 Stichting LogReport Foundation LogReport@LogReport.org This file is part of Lire. Lire is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.