.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "Syslog 3pm" .TH Syslog 3pm "2020-07-07" "Lire 2.1.1" "LogReport's Lire Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Lire::Syslog \- syslog style lines parser .SH "SYNOPSIS" .IX Header "SYNOPSIS" use Lire::Syslog; .PP my \f(CW$parser\fR = new Lire::Syslog; .PP my \f(CW$rec\fR = \f(CW$parser\fR\->parse( \f(CW$line\fR ); .SH "DESCRIPTION" .IX Header "DESCRIPTION" This module defines objects able to parse logs coming from several flavours of logging daemon. .PP It currently supports the following syslog file formats: .IP "Classic \s-1BSD\s0 syslog daemon" 4 .IX Item "Classic BSD syslog daemon" The \*(L"classic\*(R" \s-1BSD\s0 syslog format: .Sp .Vb 1 \& MMM DD HH:MM:SS Hostname Message .Ve .IP "Solaris 8 syslog daemon" 4 .IX Item "Solaris 8 syslog daemon" The Solaris 8 syslog daemon also includes the facility and level: .Sp .Vb 1 \& MMM DD HH:MM:SS Hostname Process[Pid]: [ID DDDDDD Facility.Level] Message .Ve .IP "Netscape Messaging Server logging daemon" 4 .IX Item "Netscape Messaging Server logging daemon" The syslog daemon that comes with Netscape Messaging Server uses a date in common log format: .Sp .Vb 1 \& [DD/MMM/YYYY:HH:MM:SS +ZZZZ] Hostname Process[Pid]: Facility Level: Message .Ve .IP "WebTrends syslog daemon" 4 .IX Item "WebTrends syslog daemon" The format used by the syslog daemon that comes with WebTrends: .Sp .Vb 1 \& WTsyslog[YYYY\-MM\-DD HH:MM:SS ip=HOSTNAME pri=WT_PRIORITY] Message .Ve .IP "Kiwi Syslog (\s-1ISO\s0 date format)" 4 .IX Item "Kiwi Syslog (ISO date format)" The \s-1ISO\s0 log file formats used by the Kiwi Syslog daemon (http://www.kiwisyslog.com/info_sysd.htm), a logging daemon often encountered on Win32 platforms: .Sp .Vb 1 \& YYYY\-MM\-DD HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message .Ve .IP "Kiwi Syslog (\s-1US\s0 date format)" 4 .IX Item "Kiwi Syslog (US date format)" The \s-1US\s0 date format used by the Kiwi Syslog daemon: .Sp .Vb 1 \& MM\-DD\-YYYY HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message .Ve .IP "Kiwi Syslog (DD-MM-YYY date format)" 4 .IX Item "Kiwi Syslog (DD-MM-YYY date format)" The DD-MM-YYYY date format used by the Kiwi Syslog daemon: .Sp .Vb 1 \& DD\-MM\-YYYY HH:MM:SS [TAB] Facility.Level [TAB] Hostname [TAB] Message .Ve .IP "Sendmail Switch logging daemon" 4 .IX Item "Sendmail Switch logging daemon" The format used by the logging daemon coming with Sendmail Switch on Win32 platforms: .Sp .Vb 1 \& MM/DD/YY HH:MM:SS Process(Pid): Level: Message .Ve .IP "\s-1RFC\s0 3164\-compliant Syslog daemon" 4 .IX Item "RFC 3164-compliant Syslog daemon" A format from \s-1RFC\s0 3164\-compliant Syslog daemons which includes the encoded priority and the year in the date. \s-1RFC 3164\s0 defines the \*(L"\s-1BSD\s0 Syslog Protocol\*(R". .Sp .Vb 1 \& MMM DD YYYY HH:MM:SS: Process[Pid]: Message .Ve .PP The first time the \fBparse()\fR method is used, the parser will try each of the supported formats to detect the syslog format. If no format matches, the module will call \fBlr_err()\fR and abort the program. Each other \fBparse()\fR invocation will use the same format. .PP The \fBparse()\fR method will return an hash reference which contains the following keys: .IP "timestamp" 4 .IX Item "timestamp" The timestamp of the event. .IP "hostname" 4 .IX Item "hostname" The name or \s-1IP\s0 address of the host that sended the message. .IP "process" 4 .IX Item "process" The \*(L"process\*(R" that logged the event. Formally, the syslog message doesn't contain a process field but its usually the first word coming before a colon in the message's content. .IP "pid" 4 .IX Item "pid" The \s-1PID\s0 of the process that logged the event. This is usually what is between [] in the process part of the message. .IP "identifier" 4 .IX Item "identifier" This key is only present when the log comes from a Solaris 8 syslog daemon. It contains the identifier that comes after \s-1ID\s0 in the message. .IP "facility" 4 .IX Item "facility" The syslog facility (kern, mail, local0, etc.) of the message. This isn't supported in all file formats so this key might be unavailable. .IP "level" 4 .IX Item "level" The syslog level (emerg, info, notice, etc. ) of the message. This isn't supported in all file formats so this key might be unavailable. .IP "content" 4 .IX Item "content" The actual syslog message (with the process and pid removed). Many network devices will also have another BSD-style timestamp at the beginning of the message. If present, it will also be removed. .SH "USAGE" .IX Header "USAGE" .Vb 1 \& package Lire::Foo; \& \& use base qw/ Lire::Syslog /; \& \& sub parse { \& my $self = shift; \& my $line = shift; \& \& # this runs parse from Lire::Syslog, setting keys like \*(Aqday\*(Aq, \*(Aqprocess\*(Aq \& # and \*(Aqhostname\*(Aq \& my $rec = $self\->SUPER::parse($line); \& \& $rec\->{\*(Aqfoo\*(Aq} = dosomethingwith( $rec\->{\*(Aqcontent\*(Aq} ); \& \& return $rec \& } .Ve .PP Now, one can run in a script .PP .Vb 1 \& my $parser = new Lire::Foo(); \& \& while ( <> ) { \& chomp; \& my $log = $parser\->parse( $line ); \& } .Ve .PP which sets \f(CW$log\fR\->{'day'}, ... \f(CW$log\fR\->{'process'} and \f(CW$log\fR\->{'foo'}. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBLire::Email\fR\|(3) .SH "AUTHORS" .IX Header "AUTHORS" .Vb 1 \& Joost van Baal, Francis J. Lacoste. Initial idea by Joost Kooij .Ve .SH "VERSION" .IX Header "VERSION" \&\f(CW$Id:\fR Syslog.pm,v 1.15 2006/07/23 13:16:30 vanbaal Exp $ .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (C) 2000\-2002 Stichting LogReport Foundation LogReport@LogReport.org .PP This file is part of Lire. .PP Lire is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but \s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE.\s0 See the \&\s-1GNU\s0 General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 General Public License along with this program (see \s-1COPYING\s0); if not, check with http://www.gnu.org/copyleft/gpl.html.