#! perl -slw use strict; my $re_datetime = qr[ [A-Z] [a-z]{2} \s \d{2} \s \d{2} : \d{2} : \d{2} ]x; # Aug 21 19:00:36 my $re_MIB = qr/ \[ \d (?: \. \d+ )+ \] /x; # [1.1.1.3.200.125] my $re_msgid = qr[ \d{6} : ]x; # 410381: my $re_TZ = qr[ [A-Z]{3} : ]x; # UTC: my $re_type = qr[ %SEC-6- [A-Z]+ : ]x; # %SEC-6-IPACCESSLOGP: my $re_listid = qr[ list \s (\d+) ]x; # list 101 my $re_action = qr[ [a-z]+ ]x; # denied my $re_protocol = qr[ [a-z]+ ]x; # tcp my $re_ip = qr[ \d+ (?: \. \d+ ){3} ]x; # 10.161.24.153 my $re_port = qr[ \( (\d+ (?: / \d+ )? ) \) ]x; # (3988) or (8/0) my $re_packets = qr[ , \s+ ( \d+ ) \s+ packet ]x; # , 1 packet my $re_log = qr[ ^ ( $re_datetime ) \s+ ( $re_MIB ) \s+ ( $re_msgid ) \s+ ( $re_datetime) \s+ ( $re_TZ ) \s+ $re_type \s+ $re_listid \s+ ( $re_action ) \s+ ( $re_protocol ) \s+ ( $re_ip ) \s* $re_port? \s+ -> \s+ ( $re_ip ) \s* $re_port? $re_packets \s* $ ]x; while( ) { print join'|', $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13 if $_ =~ m[$re_log]; } =pod output P:\test>285616 Aug 21 19:00:36|[1.1.1.3.200.125]|410381:|Aug 21 23:00:35|UTC:|101|denied|tcp|10.161.24.153|3988|10.158.24.10|135|1 Use of uninitialized value in join or string at P:\test\285616.pl8 line 37, line 2. Aug 21 19:00:36|[1.1.1.3.200.125]|410382:|Aug 21 23:00:35|UTC:|101|denied|icmp|10.165.4.150||211.95.79.233|8/0|1 =cut __DATA__ Aug 21 19:00:36 [1.1.1.3.200.125] 410381: Aug 21 23:00:35 UTC: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.161.24.153(3988) -> 10.158.24.10(135), 1 packet Aug 21 19:00:36 [1.1.1.3.200.125] 410382: Aug 21 23:00:35 UTC: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.165.4.150 -> 211.95.79.233 (8/0), 1 packet #### #! perl -slw use strict; use re 'eval'; # Aug 21 19:00:36 my $re_datetime = qr[ [A-Z] [a-z]{2} \s \d{2} \s \d{2} : \d{2} : \d{2} ]x; my $re_MIB = qr/ \[ \d (?: \. \d+ )+ \ # [1.1.1.3.200.125] my $re_msgid = qr[ \d{6} : ]x; # 410381: my $re_TZ = qr[ [A-Z]{3} : ]x; # UTC: my $re_type = qr[ %SEC-6- [A-Z]+ : ]x; #%SEC-6-IPACCESSLOGP: my $re_listid = qr[ list \s (\d+) ]x; # list 101 my $re_action = qr[ [a-z]+ ]x; # denied my $re_protocol = qr[ [a-z]+ ]x; # tcp my $re_ip = qr[ \d+ (?: \. \d+ ){3} ]x; # 10.161.24.153 my $re_port = qr[ \( (\d+ (?: / \d+ )? ) \) ]x; # (3988) or (8/0) my $re_packets = qr[ , \s+ ( \d+ ) \s+ packet ]x; # , 1 packet my $re_log = qr[ ^ ( $re_datetime ) \s+ (?{ $first_date = $^N||'' }) ( $re_MIB ) \s+ (?{ $MIB = $^N||'' }) ( $re_msgid ) \s+ (?{ $msgID = $^N||'' }) ( $re_datetime) \s+ (?{ $second_date = $^N||'' }) ( $re_TZ ) \s+ (?{ $TZ = $^N||'' }) $re_type \s+ $re_listid \s+ (?{ $listID = $^N||'' }) ( $re_action ) \s+ (?{ $action = $^N||'' }) ( $re_protocol ) \s+ (?{ $protocol = $^N||'' }) ( $re_ip ) \s* (?{ $ip1 = $^N||'' }) $re_port? \s+ (?{ $port = $^N||'' }) -> \s+ ( $re_ip ) \s* (?{ $ip2 = $^N||'' }) $re_port? (?{ $port2 = $^N||'' }) $re_packets \s* (?{ $packets = $^N||'' }) $ ]x; while( ) { our( $first_date, $MIB, $msgID, $second_date, $TZ, $listID, $action, $protocol, $ip1, $port, $ip2, $port2, $packets ); print join'|', $first_date, $MIB, $msgID, $second_date, $TZ, $listID, $action, $protocol, $ip1, $port, $ip2, $port2, $packets if $_ =~ m[$re_log]; } =pod output P:\test>285616 Aug 21 19:00:36|[1.1.1.3.200.125]|410381:|Aug 21 23:00:35|UTC:|101|denied|tcp|10.161.24.153|3988|10.158.24.10|135|1 Aug 21 19:00:36|[1.1.1.3.200.125]|410382:|Aug 21 23:00:35|UTC:|101|denied|icmp|10.165.4.150|10.165.4.150|211.95.79.233|8/0|1 =cut __DATA__ Aug 21 19:00:36 [1.1.1.3.200.125] 410381: Aug 21 23:00:35 UTC: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.161.24.153(3988) -> 10.158.24.10(135), 1 packet Aug 21 19:00:36 [1.1.1.3.200.125] 410382: Aug 21 23:00:35 UTC: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.165.4.150 -> 211.95.79.233 (8/0), 1 packet