解析syslog日志的代码
#!Perl
sub handle_syslog()
{
my($arg) = @_;
my($result);
my($pid)=0;
my($prog);
my $evtid=0;
my $user = 0;
my $category;
die "the argument of syslog is empty" if ($arg eq "");
$arg=~/^d{1,2}/;
my $facility = $&;
$arg=~/ d{1} /;
$&=~/d{1}/;
my $severity=$&;
$arg=~/bd[d{1,3}.]+bd{1,3}/;
my $ip=$&;
$arg=substr($arg, index($arg,$ip)+length($ip)+1);
my @tmp=&parse_time($arg);
my $tm=@tmp[0];
my $s=@tmp[1];
$arg=$s;
if ($arg=~/[A-Z a-z/]+[:[][ d]+b[:]]/) {
$&=~/[A-Z a-z/]+/;
$prog=$&;
if(length($prog) < 64) {
$arg=substr($arg, index($arg,$prog)+length($prog));
}else {
$prog="";
}
}
if($prog && $arg=~/[:[][ d]+b[:]]/){
$&=~/d+/;
$pid=substr($&, 0, 6);
if($pid > 65536) {
$pid = 0;
}else {
$arg=substr($arg, index($arg,$pid)+length($pid));
}
}
if($prog && $arg=~/: d+b:/){
$&=~/d+/;
$evtid=substr($&, 0, 6);
if($evtid > 65536) {
$evtid = 0;
} else {
$arg=substr($arg, index($arg,$evtid)+length($evtid));
}
}
if($arg=~/: [a-z]+:|: [a-z]+[a-z]+:|: [a-z]+ [a-z]+[a-z]+:/i){
$&=~/[^:]+/;
$user=$&;
if(length($user) < 64) {
$arg=substr($arg, index($arg, $user)+length($user));
}else {
$user = "";
}
}
if($arg=~/: .+b:/i){
$&=~/[^:]+/i;
$category = $&;
if(length($category) > 64) {
$category = "";
}else {
$arg=substr($arg, index($arg, $category)+length($category)+2);
}
}
my $content=$arg;
if(length($content) > 1024) {
$arg=substr($content, 0, 1023);
$content=$arg;
}
my @facilitys=("kernel messages",
"user-level messages",
"mail system",
"system daemons",
"security/authorization messages (note 1)",
"messages generated internally by syslogd",
"line printer subsystem",
"network news subsystem",
"UUCP subsystem",
"clock daemon (note 2)",
"security/authorization messages (note 1)",
"FTP daemon",
"NTP subsystem",
"log audit (note 1)",
"log alert (note 1)",
"clock daemon (note 2)",
"local use 0 (local0)",
"local use 1 (local1)",
"local use 2 (local2)",
"local use 3 (local3)",
"local use 4 (local4)",
"local use 5 (local5)",
"local use 6 (local6)",
"local use 7 (local7)");
my @severitys=("Emergency",
"Alert",
"Critical",
"Error",
"Warning",
"Notice",
"Informational",
"Debug");
print "@facilitys[$facility], $severity, $ip, $tm, $prog, $pid, $evtid, $user, $category,
$contentn";
$content=~s/'/''/g;
my $ret = "@facilitys[$facility]n$severityn$ipn$tmn$progn$pidn$evtidn$usern$categoryn
$content";
undef @tmp;
undef @facilitys;
undef @serveritys;
undef $content;
undef $arg;
undef $ip;
undef $tm;
undef $severity;
undef $facility;
undef $prog;
undef $pid;
undef $evtid;
undef $user;
undef $category;
undef $dbh;
undef $sth;
return $ret;
}
sub parse_time()
{
my($arg)=@_;
my(@month)=("Jan","Feb", "Mar", "Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec");
my ($sec, $min, $hour, $day, $mon, $year, $wday, $yday, $isdst) = localtime();
$year+=1900;
$mon+=1;
my($tm)="$hour:$min:$sec";
if($arg=~/b[A-Z][a-z]{2} +d{1,2} [d{2}:]+bd{2}/){
$arg=substr($arg, index($arg,$&)+length($&)+1);
$date=$&;
$date=~/b[A-Z][a-z]{2}/;
for($n=0; $n<@month; $n++){
if($month[$n]=~/$&/){
$mon=$n+1;
last;
}
}
$date=~/d{1,2}/;
$day=$&;
$date=~/[d{2}:]+bd{2}/;
$tm=$&;
}elsif($arg=~/b[A-Z][a-z]{2} +d{1,2} +d{2,4} [d{2}:]+bd{2}/) {
$arg=substr($arg, index($arg,$&)+length($&)+1);
$date=$&;
$date=~/b[A-Z][a-z]{2}/;
for($n=0; $n<@month; $n++){
if($month[$n]=~/$&/){
$mon=$n+1;
last;
}
}
$date=~/d{1,2}/;
$day=$&;
$date=~/d{1,2} +d{2,4}/;
$&=~/d{2,4}z/;
$year=$&;
$date=~/[d{2}:]+bd{2}/;
$tm=$&;
}elsif($arg=~/bd{2,4}-d{1,2}-d{1,2} +[d{2}:]+bd{2}/) {
$arg=substr($arg, index($arg,$&)+length($&)+1);
$date=$&;
$date=~/bd{2,4}/;
$year=$&;
$date=~/-d{1,2}-/;
$&=~/d{1,2}/;
$mon=$&;
$date=~/-d{1,2} +/;
$&=~/d{1,2}/;
$day=$&;
$date=~/[d{2}:]+bd{2}/;
$tm=$&;
}
$tm="$year-$mon-$day $tm";
my @tmp;
@tmp[0]=$tm;
@tmp[1]=$arg;
undef @month;
return @tmp;
}