NAME

Ossec::Log::Parse - Object-oriented Perl interface for parsing Ossec alert files

SYNOPSIS

### Sample alert ###
#
# ** Alert 1443175627.1028: mail  - syslog,fts,authentication_success
# 2015 Sep 25 06:07:07 (i7dev) 10.0.0.4->/var/log/auth.log
# Rule: 10100 (level 4) -> 'First time user logged in.'
# Src IP: 10.0.0.2
# User: phirelight
# Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

use Ossec::Log::Parse;

my $parse = Ossec::Log::Parse->new('/path/to/logfile');
while ( $alert = $parse->getAlert() ) {
  print $alert->{'ts'};
  # 1443175627.1028
  print $alert->{'ts.human'};
  # 2015 Sep 25 06:07:07
  print $alert->{'type'};
  # mail
  print $alert->{'group'};
  # syslog,fts,authentication_success
  print $alert->{'agent.name'};
  # i7dev
  print $alert->{'agent.ip'};
  # 10.0.0.4
  print $alert->{'location'};
  # /var/log/auth.log
  print $alert->{'rule.id'};
  # 10100
  print $alert->{'rule.level'};
  # 4
  print $alert->{'rule.comment'};
  # First time user logged in
  print $alert->{'source.ip'};
  # 10.0.0.2
  print $alert->{'user'};
  # phirelight
  print $alert->{'full_log'};
  # Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
}

ABSTRACT

Perl interface for parsing Ossec alert files

DESCRIPTION

This library provides an easy and convenient way to parse the log files generated by Ossec.

Constructor

The base constructor for Ossec::Log::Parse classes is called new. There are several different ways of calling the constructor, depending on the options you want to set. In a nutshell, one can either pass no argument (data is read from <>); a string argument, which is interpreted as a file name; a file handle which is used to read data from; or an array reference that can use all of these options and set a few more parameter.

new()

The first invocation of the base constructor for Ossec::Log::Parse. No argument is passed. The resulting class reads Ossec alert log data from <>.

new('/path/to/file')

Passing a string to the constructor for Ossec::Log::Parse will read Ossec alert log data from the file pointed to. If the file pointed to does not exist or cannot be opened, a fatal error is raised.

new($fh)

Passing a file handle to the constructor for Ossec::Log::Parse will read Ossec alert log data from the filehandle.

new({ option => value })

Pass a hashref of options to the constructor for Ossec::Log::Parse. Options that can be given (in descending order of importance):

fh

Filehandle to be used as data source.

file

Name of file to be used as data source.

diamond

Boolean; if set to true, data is read from <>, if no other data source is given.

FUNCTIONS

getAlert()

Read input and return the parsed event data as a hash. Returns undef when on EOF.

Hash includes: ts, ts.human, type, group, agent.name, agent.ip, location, rule.id, rule.level, rule.comment, source.ip, user, full_log

fh()

Return the filehandle data is read from. Returns undef if data is read from <>.

file()

Return the filename data is read from. Returns undef if no filename was given in constructor.

AUTHOR

Stefan Amyotte, <samyotte@phirelight.com>

This work is a modified version of Johanna Amann repo Perl-Bro-Log-Parse.

COPYRIGHT AND LICENSE

Copyright 2015 by Stefan Amyotte This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.