I'm in the process of implementing a large scale central syslog
architecture based on syslog-ng and POE. syslog-ng buys me compliance
while I finish building my custom correlation engine with POE.
I wanted a way to deal with syslog messages as they came in from the
network, as well as messages from flat files (with the preamble
stripped). There's a ton of syslog modules on CPAN, so I'd prefer to
not clutter up the namespace if I don't have to. I just couldn't find a
good fit for this idea that I'm developing, so perhaps through communal
wisdom someone will beat my into submitting to another module.
Here's the 0.01 interface:
SYNOPSIS
I wanted a very simple log parser for network based syslog input.
Nothing existed that simply took a line and returned a hash ref all
parsed out.
use Parse::Syslog::Line qw(syslog_parse_line);
my $href = syslog_parse_line( $msg );
#
# $href = {
# preamble => '13',
# priority => 'notice',
# priority_int => 5,
# facility => 'user',
# facility_int => 8,
# date => 'YYYY-MM-DD',
# time => 'HH::MM:SS',
# datetime_str => 'YYYY-MM-DD HH:MM:SS',
# datetime_obj => new DateTime(), # If
# installed
# datetime_raw => 'Feb 17 11:12:13'
# host_raw => 'hostname', #
# Hostname as it appeared in the message
# host => 'hostname', #
# Hostname without domain
# domain => 'blah.com', # if
# provided
# program_raw =>
# 'sshd(blah)[pid]',
# program_name => 'sshd',
# program_sub => 'pam_unix',
# program_pid => 20345,
# content => 'the rest of the
# message'
# message => 'program[pid]:
# the rest of the message',
# message_raw => 'The message as
# it was passed',
# };
...
As I've been working on this project, I've found that it might be useful
to have a module that was also capable of using SQL::Abstract to
generate tables, selects, and inserts based off the syslog input, so my
initial namespace and simple Exporter design is probly getting an OO
overhaul to support things like hostname resolution, query building, and
sub modules for pluggable handling of certain message types (like the
SyslogScan::* name space). Only SyslogScan seems to be primarily
focussed solely on sendmail messages.
The closest to what I'm imagining is Net::Dev::Tools::Syslog. However,
I'm not interested in mimicing a syslog server so I'm not sure my
proposed namespace works either.
Perhaps Syslog::Ax(e?) or Syslog::Parser would be better?
Comments? Rants?
--
Brad Lhotsky
