Parse::Syslog − Parse Unix syslog files
my $parser =
Parse::Syslog−>new( '/var/log/syslog', year =>
2001);
while(my $sl = $parser−>next) {
... access $sl−>{timestamp|host|program|pid|text}
...
}
Unix syslogs are convenient to read for humans but because of small differences between operating systems and things like ’last message repeated xx times’ not very easy to parse by a script.
Parse::Syslog presents a simple interface to parse syslog files: you create a parser on a file (with new) and call next to get one line at a time with Unix-timestamp, host, program, pid and text returned in a hash-reference.
new requires as first argument a source from where to get the syslog lines. It can be:
• |
a file-name for the syslog-file to be parsed. | ||
• |
an IO::Handle object. | ||
• |
a File::Tail object as first argument, in which case the read method will be called to get lines to process. |
After the file-name (or File::Tail object), you can specify options as a hash. The following options are defined:
type |
Format of the "syslog" file. Can be one of: |
syslog
Traditional "syslog" (default) |
||||
metalog |
Metalog (see http://metalog.sourceforge.net/) |
|||
year |
Syslog files usually do store the time of the event without year. With this option you can specify the start-year of this log. If not specified, it will be set to the current year.
GMT |
If this option is set, the time in the syslog will be converted assuming it is GMT time instead of local time. | ||
repeat |
Parse::Syslog will by default repeat xx times events that are followed by messages like ’last message repeated xx times’. If you set this option to false, it won’t do that. |
arrayref
If this option is true, next will return an array-ref instead of a hash-ref (and is thus a bit faster), with the following contents:
0: |
timestamp |
|||
1: |
host |
|||
2: |
program |
|||
3: |
pid |
|||
4: |
text |
|||
locale |
Optional. Specifies an additional locale name or the array of locale names for the parsing of log files with national characters.
allow_future
If true will allow for timestamps in the future. Otherwise timestamps of one day in the future and more will not be returned (as a safety measure against wrong configurations, bogus −−year arguments, etc.)
The file is parse one line at a time by calling the next method, which returns a hash-reference containing the following keys:
timestamp |
Unix timestamp for the event. | ||
host |
Host-name where the event did happen. | ||
program |
Program-name of the program that generated the event. | ||
pid |
PID of the Program that generated the event. This information is not always available for every operating system. | ||
text |
Text description of the event. | ||
msgid |
Message numeric identifier, available only on Solaris >= 8 with "message ID generation" enabled". | ||
facility |
Log facility name, available only on Solaris >= 8 with "message ID generation" enabled". | ||
level |
Log level, available only on Solaris >= 8 with "message ID generation" enabled". |
There are many small differences in the syslog syntax between operating systems. This module has been tested for syslog files produced by the following operating systems:
Debian GNU/Linux
2.4 (sid)
Solaris 2.6
Solaris 8
Report problems for these and other operating systems to the author.
Copyright (c) 2001, Swiss Federal Institute of Technology, Zurich. All Rights Reserved.
This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
David Schweikert <[email protected]>
2001−08−12
ds 0.01 first version
2001−08−19 ds 0.02 fix 'last message repeated xx
times', Solaris 8 problems
2001−08−20 ds 0.03 implemented GMT option, year
specification, File::Tail
2001−10−31 ds 0.04 faster time parsing,
implemented 'arrayref' option, better time−increment
algorithm
2002−01−29 ds 0.05 ignore −− MARK
−− lines, low−case months, space in
program names
2002−05−02 ds 1.00 HP−UX fixes, parse
'above message repeats xx times'
2002−05−25 ds 1.01 added support for localized
month names ([email protected])
2002−10−28 ds 1.02 fix
off−by−one−hour error when running during
daylight saving time switch
2004−01−19 ds 1.03 do not allow future dates (if
allow_future is not true)
2004−07−11 ds 1.04 added support for type
'metalog'
2005−12−24 ds 1.05 allow passing of a IO::Handle
object to new