NAME
Ossec::Log::Parse - Object-oriented Perl interface for parsing Ossec alert files
SYNOPSIS
### Sample alert ###
#
# ** Alert 1443175627.1028: mail - syslog,fts,authentication_success
# 2015 Sep 25 06:07:07 (i7dev) 10.0.0.4->/var/log/auth.log
# Rule: 10100 (level 4) -> 'First time user logged in.'
# Src IP: 10.0.0.2
# User: phirelight
# Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
use Ossec::Log::Parse;
my $parse = Ossec::Log::Parse->new('/path/to/logfile');
while ( $alert = $parse->getAlert() ) {
print $alert->{'ts'};
# 1443175627.1028
print $alert->{'ts.human'};
# 2015 Sep 25 06:07:07
print $alert->{'type'};
# mail
print $alert->{'group'};
# syslog,fts,authentication_success
print $alert->{'agent.name'};
# i7dev
print $alert->{'agent.ip'};
# 10.0.0.4
print $alert->{'location'};
# /var/log/auth.log
print $alert->{'rule.id'};
# 10100
print $alert->{'rule.level'};
# 4
print $alert->{'rule.comment'};
# First time user logged in
print $alert->{'source.ip'};
# 10.0.0.2
print $alert->{'user'};
# phirelight
print $alert->{'full_log'};
# Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
}
ABSTRACT
Perl interface for parsing Ossec alert files
DESCRIPTION
This library provides an easy and convenient way to parse the log files generated by Ossec.
Constructor
The base constructor for Ossec::Log::Parse classes is called new. There are several different ways of calling the constructor, depending on the options you want to set. In a nutshell, one can either pass no argument (data is read from <>
); a string argument, which is interpreted as a file name; a file handle which is used to read data from; or an array reference that can use all of these options and set a few more parameter.
- new()
-
The first invocation of the base constructor for Ossec::Log::Parse. No argument is passed. The resulting class reads Ossec alert log data from
<>
. - new('/path/to/file')
-
Passing a string to the constructor for Ossec::Log::Parse will read Ossec alert log data from the file pointed to. If the file pointed to does not exist or cannot be opened, a fatal error is raised.
- new($fh)
-
Passing a file handle to the constructor for Ossec::Log::Parse will read Ossec alert log data from the filehandle.
- new({ option => value })
-
Pass a hashref of options to the constructor for Ossec::Log::Parse. Options that can be given (in descending order of importance):
- fh
-
Filehandle to be used as data source.
- file
-
Name of file to be used as data source.
- diamond
-
Boolean; if set to true, data is read from
<>
, if no other data source is given.
FUNCTIONS
- getAlert()
-
Read input and return the parsed event data as a hash. Returns undef when on EOF.
Hash includes: ts, ts.human, type, group, agent.name, agent.ip, location, rule.id, rule.level, rule.comment, source.ip, user, full_log
- fh()
-
Return the filehandle data is read from. Returns undef if data is read from
<>
. - file()
-
Return the filename data is read from. Returns undef if no filename was given in constructor.
AUTHOR
Stefan Amyotte, <samyotte@phirelight.com>
This work is a modified version of Johanna Amann repo Perl-Bro-Log-Parse.
COPYRIGHT AND LICENSE
Copyright 2015 by Stefan Amyotte This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.