Net::Dev::Tools::Syslog - Send, Listen Syslog messages, Parse syslog files.
Net::Dev::Tools::Syslog 0.8.0
use Net::Dev::Tools::Syslog; # # Syslog Parser # ($syslog, $error) = Net::Dev::Tools::Syslog->parse( -dump => <directory>, -append => <0|1>, -ext => <extension>, -report => <0|1>, -interval => <seconds>, -debug => <0|1|2|3>, -rx_time => <0|1>, -lastmsg => <0|1>, -min_date => <mm/dd/yyyy [hh:mm]>, -max_date => <mm/dd/yyyy [hh:mm]>, -device => <pattern>, -tag => <pattern>, -message => <pattern>, ); $parse = $syslog->parse_syslog_line(<line>); # # Syslog Send # ($send, $error) = Net::Dev::Tools::Syslog->send( -server => <address>, -port => <IP port>, -proto => <udp|tcp>, -facility => <facility>, -severity => <severity>, -timestamp => <timestamp>, -device => <device name>, -tag => <tag>, -pid => <pid>, -message => <message>, -strict => <0|1>, ); $send->send_msg( -server => <address>, -port => <IP port>, -proto => <udp|tcp>, -facility => <facility>, -severity => <severity>, -timestamp => <timestamp>, -device => <device name>, -tag => <tag>, -pid => <pid>, -message => <message>, -strict => <0|1>, ); # # Syslog Listen # ($listen, $error) = Net::Dev::Tools::Syslog->listen( -port => <IP port>, -proto => <udp|tcp>, -maxlength => <integer> -verbose => <0|1|2|3>, );
Module provides methods to parse syslog files, send syslog messages to syslog server, listen for syslog message on localhost.
parse method creates a class that will parse information from a syslog file entry (line) and return the information to the user. The object is first created with properties that define how a syslog line is to be worked on. The parse_syslog_line function (method) is then used to parse the syslog line and return a reference to a hash.
send method will send a syslog message to a syslog sever. The user can provide as much or as little information desired. The class will then create a syslog message from the information given or from default values and send the message to the desired server.
listen will open the desired port on the local host to listen for sylog messages. Message received on the port are assumed to be syslog messages and are printed to STDOUT.
See documentation for individual function/methods for more detail on usage and operation.
RFC 3164 describes the syntax for syslog message. This modules is intended to adhere to this description.
As described in the RFC, 'device' is a machine that can generate a message. A 'server' is a machine that receives the message and does not relay it to any other machine. Syslog uses UDP for its transport and port 514 (server side) has been assigned to syslog. It is suggested that the device source port also be 514, since this is no mandatory, this module does not enforce it.
Section 4.1 of RFC 3164 defines syslog message parts, familiarity with these descriptions will give the user a better understanding of the functions and arguments of this module. Maximum length of a syslog message must be 1024 bytes. There is no minimum length for a syslog message. A message of 0 bytes should not be transmitted.
4.1.1 PRI Part of RFC 3164 describes PRI. The PRI represents the syslog Priority value which represents the Facility and Severity as a decimal number bounded by angle brackets '<''>'. The PRI will have 3,4 or 5 characters. Since two characters are always the brackets, the decimal number is then 1-3 characters.
The Facility and Severity of a message are numerically coded with decimal values.
Numerical Facility Code 0 kernel messages 1 user-level messages 2 mail system 3 system daemons 4 security/authorization messages (note 1) 5 messages generated internally by syslogd 6 line printer subsystem 7 network news subsystem 8 UUCP subsystem 9 clock daemon (note 2) 10 security/authorization messages (note 1) 11 FTP daemon 12 NTP subsystem 13 log audit (note 1) 14 log alert (note 1) 15 clock daemon (note 2) 16 local use 0 (local0) 17 local use 1 (local1) 18 local use 2 (local2) 19 local use 3 (local3) 20 local use 4 (local4) 21 local use 5 (local5) 22 local use 6 (local6) 23 local use 7 (local7) Note 1 - Various operating systems have been found to utilize Facilities 4, 10, 13 and 14 for security/authorization, audit, and alert messages which seem to be similar. Note 2 - Various operating systems have been found to utilize both Facilities 9 and 15 for clock (cron/at) messages. Numerical Severity Code 0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level messages
Priority is calculated as: (Facility*8) + Severity. After calculating the Priority, bound it with barckets and its now a PRI. For example a daemon debug would be (3*8)+7 => 31 Priority, PRI <31>.
The header portion conatains a timestamp and the device name or IP.
The TIMESTAMP immediately follows the trailing ">" from the PRI. The TIMESTAMP is separated from the HOSTNAME by single space characters.
The TIMESTAMP field is the local time and is in the format of 'Mmm dd hh:mm:ss'.
Mmm is the month abbreviation, such as: Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec. dd is day of month. If numeric day value is a single digit, then the first character is a space. This would make the format 'Mmm d hh:mm:ss'. hh:mm::ss are hour minute seconds, 0 padded. Hours range from 0-23 and minutes and seconds roange from 0-59.
A single space charater must follow the the TIMESTAMP field.
The HOSTNAME is separated from the precedding TIMESTAMP by single space characters. The HOSTNAME will be the name of the device as it knows itself. If it does not have a hostname, then its IP address is used.
The MSG part will fill the rest of the syslog packet. The MSG part is made of two parts the TAG and CONTENT. The TAG value is the name of the originating process and must not exceed 32 cahracters. The CONTENT is the details of the message.
Time::Local IO::Socket Sys::Hostname
parse_syslog_msg epoch_to_timestamp make_timeslots epoch_timeslot_index normalize_facility normalize_severity
:parser parse_syslog_msg :time epoch_to_timestamp, make_timeslots, epoch_timeslot_index :syslog normalize_facility, normalize_severity
Constructor to create object to parse a syslog file's line. Arguments are used to define parsing. See function parse_syslog_line section to see how to parse the line.
($syslog, $error) = Net::Dev::Tools::Syslog->parse( -dump => <directory>, -append => <0|1>, -ext => <extension>, -report => <0|1>, -interval => <seconds>, -debug => <0|1|2|3>, -rx_time => <0|1>, -lastmsg => <0|1>, -min_date => <mm/dd/yyyy [hh:mm]>, -max_date => <mm/dd/yyyy [hh:mm]>, -device => <pattern>, -tag => <pattern>, -message => <pattern>, );
Argument Checks:
If -dump is used, then argument must be a directory, current directory is not assumed. The directory provided must exist and allow user write access. If -interval is less than 60, it is set to 60. If -min_date and/or -max_date are given there syntax and range are checked.
Return, in list context will return reference to object and error. In scalar context returns reference to object.
Enable creation of separate syslog files. Each file created will only contain lines for the device defined in the syslog message. The <directory> argument define a directory to where device specific syslog files are dumped. Current directory is not assumed. Directories are checked for existence and writability. Default = FALSE, no dumps
If 0, device files created due to -dump are overwritten. If 1, device files created due to -dump are appended to. Default = 0, (overwrite)
File extension to use for device files created due to -dump being enabled. Default = 'slp', (SysLog Parsed)
If 0 no data is stored in the object. If 1 data is stored. For each line successfully parsed, information is pushed on to @DATA. See Data Access section for access information. Default = 1
The amount of seconds to use when making timeslots. make_timeslots function will make timeslot ranging from min and max time found or given. The timeslot info can then be used to create stats for desired time intervals. See @TIMESLOTS for more info. Min value is 60 (1 minute). Default is 3600 (1 hour).
Set debug level, verbosity increases as number value increases.
Set flag to use the receive time and not the timestamp from the sylog message. Some syslog deamon prepend information to the syslog message when writing to a file. If a receive time is one of these fields, then it can be used. This will normalize all times to when they are received by the serever. Default is 0
Set flag to to handle last message as previous message. If true and the syslog message has the pattern 'last message repeated N time',then we replace this current line with the previous line. Otherwise the 'last message' line is treated as all other syslog lines. The tag will be defined as 'lastmsg', pid and content set to ''. Default is 0.
If given, then will be used to filter dates. Only lines with dates greater to or equal to this will be be parsed. This check is performed after -rx_time, thus filter applies to whatever date you decide to keep. You must enter mm/dd/yyyy, other values will default: ss defaults to 0 if hh:mm given, 59 if no time given mm defaults to 0 if hh: given, 59 if no time given hh defaults to 23 if no time given Mmm/dd/yyyy can als be use, where Mmm is Jan, Feb, Mar,...
If given, then will be used to filter dates. Only lines with dates less than or equal to this will be be parsed. This check is performed after -rx_time, thus filter applies to whatever date you decide to keep. Apply same syntax rules as -min_date
If given, only device fields matching the pattern are kept. Text strings or Perl regexp can be given.
If given, only tag fields matching the pattern are kept. Text strings or Perl regexp can be given.
If given, only message fields matching the pattern are kept. Text strings or Perl regexp can be given.
($parse, $error) = $syslog->parse_syslog_line(<line>);
Method to parse the syslog line. If syslog line <line> is not given as argument then $_ is parsed.
Some syslog daemons may prepend other information when writing syslog message to syslog file. &parse_syslog_line will detect this by applying a regexp match for an RFC 3164 syslog message. The match will be treated as the syslog message, any string found before the match will be considered a preamble. The preamble will be parsed for receive time, syslog priority (facility.severity) and source IP address. This info is avaliable to the user.
This function also assumes all lines contain a 'tag' as described in RFC 3164. If a syslog message does not contain a tag then the hash key tag ( $hash{tag} ) is set to 'noTag'. A tag is not assumed to have a PID as described by the RFC. For tag's not containing a PID, $hash{pid} = ''. If a syslog message is '... last line repeated N time', then $hash{tag} is set to 'lastmsg'.
$parse_syslog_line calls &parse_syslog_msg and &parse_preamble to parse respective information. Any facility or severity parsed is normalized to the stings listed in @FACILITY and @SEVERITY.
Syslog messages are the stings matched by $SYSLOG_msg. Changing this string to something else allows the user to modify the parser.
See Data Access Section for hash access.
In list context a reference to a hash and error are returned. In scalar context, a reference to a hash is returned.
Events to Return Error:
Constructor to create object that will send syslog messages from localhost. Arguments define all portions of a RFC 3164 Syslog message. Message is sent when &send_msg is called.
Any argument can be defined now or when &send_msg is called. This allows the user to set values that are static for their needs or change dynamically each time a message is sent.
($syslog, $error) = Net::Dev::Tools::Syslog->send( -server => <server IP>, [-port => <destination port>,] [-proto => <udp|tcp>,] [-facility => <facility string>,] [-severity => <severity string>,] [-timestamp => <message timestamp>,] [-device => <device name>,] [-tag => <tag>,] [-pid => <tag PID>,] [-message => <syslog message>,] [-strict => <0|1>,] );
Destination Syslog Server IP Address. Default 127.0.0.1
Destination Port. Default is 514.
IP protocol to use, default is udp.
Syslog Facility to use. Default is 'user'.
Syslog Severity to use. Default is 'debug'.
Timestamp to put in to syslog message. Default is current time.
Device name to put in to syslog message. Default is $HOSTNAME
Syslog message tag. Default is NetDevSyslog.
Syslog message tag PID, enlcosed in '[' ']'. Default is 1.
By default strict syntax is enforced, this can be disabled with -strict. Strict rules allow message to be no longer than 1024 and tag within message to be no longer than 32.
Function will create a RFC 3164 syslog message and send to destination IP:port. For values not defined by user, defaults will be used. The same arguments given for the constructor 'send' apply to this function. Thus any value can be changed before transmission.
($ok, $error) = $syslog->send_msg( [-server => <server IP>,] [-port => <destination port>,] [-proto => <udp|tcp>,] [-facility => <facility string>,] [-severity => <severity string>,] [-timestamp => <message timestamp>,] [-device => <device name>,] [-tag => <tag>,] [-pid => <tag PID>,] [-message => <syslog message>,] [-strict => <0|1>,] );
For any error detected, the message will not be sent and undef returned. For each message sent, the socket is opened and closed. If message is sent, '1' is returned.
Constructor to create object that listens on desired port and prints out messages received. Message are assumed to be syslog messages.
($syslog, $error) = Net::Dev::Tools::Syslog->listen( [-port => <port>,] [-proto => <udp|tcp>,] [-maxlength => <max message length>,] [-packets => <integer>], [-verbose => <0|1|2>,] [-report => <0|1>], );
Message received will be printed to STDOUT.
CTRL-C will shutdown the socket and return control back to caller.
If -report option is enabled, then a reference to object that can be used to access @DATA and populate %STATS will be returned.
Otherwise a counter value indicating a message received is returned.
Local port to listen for messages. Messages are assumed to be syslog messages. Some OS's may require root access. Default is 514.
Protocol to use. Default is udp.
Max message length. Default is 1024
Shutdown socket listening on after N packets are received on the given port. At least one packet must be received for packet count to be checked.
Verbosity level
Perform same reporting as the parse method does. All arguments to the parse method can be used on this method. Unlike the parse method, reporting is off by default for listen method.
Initialize the hash storing the current syslog line information.
$syslog->init();
Function to loop through all filehandles opened for dumping a syslog line to a device specific file.
$syslog->close_dumps();
Function to loop through @DATA and create %STATS. %STATS is a complex data structure storing statistics of the current syslog file. See Data Access section.
$stat_ref = $syslog->syslog_stats( [min => <mm/dd/yyy [hh:mm:ss]>], # min date [max => <mm/dd/yyy [hh:mm:ss]>], # max date );
Function to convert epoch seconds to a RFC 3164 syslog message timestamp. If epoch seconds not given, then current time is used.
$timestamp = epoch_to_timestamp($epoch);
Function to convert epoch seconds to a common date string. If epoch seconds not given, then current time is used.
$date_str = epoch_to_datestr($epoch)
Date string format Mmm/dd/yyyy hh:mm:ss
Function to convert date given for a filter to epoch seconds.
$epoch = date_filter_to_epoch(<mm/dd/yyyy [hh:mm:ss]>);
Function to validate that a given timestamp matches the syntax defined by RFC 3164. If valid, then '1' is returned, if invalid then '0' is returned.
$ok = validate_timestamp_syntax($timestamp);
Function to create @TIMESLOTS given the min/max epoch seconds and the interval. Will start at min epoch value and increment until reaching or exceeding the max epoch value. For each increment an index is made based on the min epoch for that interval. The index is created with &epoch_to_datestr.
make_timeslots($min_epoch, $max_epoch, $interval);
Min and max values are mandatory and are checked to be greater or less than the other value. If $interval is not given, function defaults to 60 seconds.
The created list is built as such
@TIMESLOTS = ([$index, min_epoch, $max_epoch], ...);
This list can be used to group syslog messages to a specific timeslot. From the syslog line we have epoch seconds, this list provides a range to check the epoch seconds against and the index for that range.
Function that takes a given epoch second value and returns the timeslot index value for that value from @TIMESLOTS.
$index = epoch_timeslot_index($epoch);
If no match is found, undef is returned.
Function to take a character string representing a facility and return a normalize string contained in @FACILITY.
$facility = normalize_facility($facility);
If given string is not normailized, it is returned
Function to take a character string representing a severity and return a normalize string contained in @SEVERITY.
$severity = normalize_severity($severity);
Function to decode PRI in decimal format to a Facility and Severity. Can accept either decimal number or decimal number bounded by '<' '>'.
In list context will return lis tof information, in scalar context will return respective Facility and Severity strings joined with '.'.
@pri = decode_PRI($pri_dec); $PRI = decode_PRI($pri_dec); $pri[0] PRI decimal value $pri[1] Facility decimal value $pri[2] Severity decimal value $pri[3] PRI character string (join facility and severity string) $pri[4] Facility charater string $pri[5] Severity charater string
Given PRI value is checked to be between 0 and 191. If not, then undef is returned in scalar context and for list values any decimal number is -1, P?, F?, S? for PRI, Facility Severity character strings respectively
Set the value used by methods and functions of this module to the current year as known by localtime. Syslog message timestamps do not conatain year information. A user may need to change this when looking a a syslog from a different year.
If no value is given, then the current year is assumed, otherwise the year is set to the argument.
$syslog->set_year(2003); # set year to 2003 $syslog->set_year(); # set year to ((localtime)[5]) + 1900
Return reference to @DATA.
Return reference to %STATS
Return reference to @DEVICES
Return reference to @FACILITY
Return reference to @SEVERITY
Return reference to @TAGS
Return reference to @TIMESLOTS
Return last error.
List of all syslog facilities strings as defined by RFC 3164. Any facility string parse or given by the user is normalized to strings found in this list.
List of all syslog severities strings as defined by RFC 3164. Any severity string parse or given by the user is normalized to strings found in this list.
Hash whose keys are syslog facility strings and whose value is the decimal representation of that facility.
Hash whose keys are syslog severity strings and whose value is the decimal representation of that severity.
The pattern used to parse any RFC 3164 syslog message.
The hash reference returned by function parse_syslog_line has the following keys:
$hash_ref->{line} current line from syslog file {timestamp} timestamp from syslog message {device} device name from syslog message {message} syslog message, from after devname {month_str} month from syslog message timestamp (Jan, Feb, ..) {month} month index 0->11 {day} day from syslog message timestamp {time_str} hh:mm:ss from syslog message timestamp {hour} hh from syslog message timestamp {min} mm from syslog message timestamp {sec} ss from syslog message timestamp {year} year assumed from localtime {epoch} epoch time converted from syslog message timestamp {wday} wday integer derived from epoch (0-6) = (Sun-Sat) {wday_str} wday string converted, (Sun, Mon, ...) {date_str} syslog message {epoch} convert to common format {tag} syslog message content tag {pid} syslog message content tag pid {content} syslog message content after tag parsed out {preamble} fields prepended to syslog message {rx_epoch} extra info: rx time epoch {rx_timestamp} extra info: rx timestamp {rx_priority} extra info: priority (text) {rx_facility} extra info: syslog facility (text) {rx_severity} extra info: syslog severity (text) {srcIP} extra info: src IP address {rx_epoch} extra info: rx time epoch {rx_date_str} extra info: rx time date string {rx_time_str} extra info: rx time (hh:mm:ss) {rx_year} extra info: rx time year value {rx_month} extra info: rx time month value {rx_month_str} extra info: rx time month value string (Jan, Feb,..) {rx_day} extra info: rx time day value {rx_wday} extra info: rx time weekday (0-6) (Sun, Mon,..) {rx_hour} extra info: rx time hour value {rx_min} extra info: rx time minute value {rx_sec} extra info: rx time second value
@DATA is a array of hashes. Each @DATA element is a hash whose keys hold info for each line successfully parsed. @DATA is populated when -report set to 1.
@DATA = ( { timestamp => <timestamp from syslog message>, epoch => <timestamp converted to epoch seconds>, device => <device name from syslog message>, rx_time => <received timestamp>, rx_epoch => <rx_time converted to epoch seconds>, rx_priority => <received priority>, rx_facility => <received facility>, rx_severity => <received severity>, rx_srcIP => <received src IP>, }, ... );
Multi-level hash that store statisticis from information stored in @DATA. This hash is created with &syslog_stats and should be considered a convienience function to gather stats. This only represent some basic stats that I thought everyone would want. A user can derive their own by looping through @DATA or examining the the different fields in hash reference returned by &parse_syslog_line.
All of the values listed below are incremented (counter). Strings enclosed in '<' '>' denote keys derived from information found in the syslog file. $STATS{syslog}{messages} {min_epoch} {max_epoch} {min_date_str} {max_date_str} {tag}{<tag>}{messages} {facility}{<rx_facility>}{messages} {severity}{<rx_severity>}{messages} $STATS{device}{<dev>}{messages} {min_epoch} {max_epoch} {min_date_str} {max_date_str} {tag}{<tag>}{messages} {facility}{<rx_facility>}{messages} {severity}{<rx_severity>}{messages}
@TIMESLOTS is a list of time intervals ranging from the min to max value provided to &make_timeslots function. A @TIMESLOTS element contains 3 values
@TIMESLOTS = ([index, min_epoch, max_epoch], ...); index - Unique string created to indicate start of timeslot Mmm/dd/yyyy hh:mm min_epoch - is begining of the timeslot interval in epoch seconds. max_epoch - is ending of the timeslot interval in epoch seconds.
List of devices found. Created when -report is true. When a device is firsted learned, its device name as known from the sylog message is pushed on to this list.
List of tags found. Created when -report is true. When a tag is firsted learned, its name as known from the sylog message is pushed on to this list.
sparsons@cpan.org
Copyright (c) 2004 Scott Parsons All rights reserved. This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.
2 POD Errors
The following errors were encountered while parsing the POD:
'=item' outside of any '=over'
You forgot a '=back' before '=head1'
To install Net::Dev::Tools::Syslog, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::Dev::Tools::Syslog
CPAN shell
perl -MCPAN -e shell install Net::Dev::Tools::Syslog
For more information on module installation, please visit the detailed CPAN module installation guide.