Matt Richter wrote:
>
> I'm trying to split a line from a PIX Firewall log file and put it into
> an array. The log entries look like:
>
> Nov 13 07:28:55 10.0.0.3 %PIX-4-400025: IDS:2154 ICMP ping of death from
> 123.123.123.123 to 124.124.124.124 on interface outside
>
> Here is the code i've tried:
>
> [snip code]
>
> Obviously, split(/ /, $line) doesn't produce the array I really want.
> Here is the format of the log entries to parse.
>
> Month Day Time Host PIXcode IDSCode Protocol Description SourceHost To
> DestinationHost On Interface InterfaceName
>
> Here are the string details:
> Month : Always Three Letters
> Day : May be One or Two Digits. If one Digit, it is preceded by and
> extra space. i.e. " 9" or "10"
> Time: Always the same format
> Host : Sometimes IP number, Sometimes Hostname
> PIXCode : Always %PIX-4-4000xx:
> IDSCode : Always IDS:xxxx
> Protocol : If exists, followed by space, Sometimes not there at all
> Description : Various string lengths (2 To 6 words)
> SourceHost : Always an IP Number
> To : Always exists
> DestinationHost : Always an IP Number On
> Interface : Always exists
> InterfaceName : Always One Word
This should work according to the specs given:
while ( <LOG> ) {
if ( /^ # Start of line
(((\w{3})\s+\d+)\s+\d+) :\d+:\d+\s+ # Month, Day and Hour
(\S+) \s+ # Host
(%PIX-4-4000\d+) :\s+ # PIXCode
IDS:(\d+) \s* # IDSCode
(TCP|UDP|ICMP|) \s+ # Protocol (optional)
(\S.*?\S) \s+ # Description
from\s+([\d.]+) \s+ # Source Host
to \s+([\d.]+) \s+ # Destination Host
on\s+interface\s+(\S+) # Interface Name
$/x ) { # End of line
$month{ $3 }++; #
$day{ $2 }++; # Cat Month and Day
$ltime{ $1 }++; # Cat Date and Time
$host{ $4 }++;
$pixcode{ $5 }++;
# etcetera
}
}
John
--
use Perl;
program
fulfillment
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
