Here's a little gratuitous sample code for Parse::RecDescent, seeing as I just spent Monday in a class with TheDamian teaching me all about it. :) 
use strict;
use Parse::RecDescent;
use Data::Dumper;

my $grammar = q{
    viruslog: message(s)
        { %{$return} = map {@{$_}} (@{$item[1]}); }
        
    message: /^(\w+):\s+ (.*)/x
        {    $return = [lc($1), $2]; }
};
my $parser = new Parse::RecDescent $grammar or die "Invalid grammar";


foreach (split /---+/, join '', <DATA>) {
    my $record = $parser->viruslog($_);
    print Dumper($record) if defined $record;
}


__DATA__
From: pminich@foo.com
To: esquared@foofoo.com
File: value.scr
Action: The uncleanable file is deleted.
Virus: WORM_KLEZ.H
----------------------------------
Date: 06/30/2002 00:01:21
From: mef@mememe.com
To: inet@microsoft.com
File: Nr.pif
Action: The uncleanable file is deleted.
Virus: WORM_KLEZ.H
----------------------------------

[download]
Which prints: 
$VAR1 = {
          'file' => 'value.scr',
          'virus' => 'WORM_KLEZ.H',
          'to' => 'esquared@foofoo.com',
          'from' => 'pminich@foo.com',
          'action' => 'The uncleanable file is deleted.'
        };
$VAR1 = {
          'date' => '06/30/2002 00:01:21',
          'file' => 'Nr.pif',
          'virus' => 'WORM_KLEZ.H',
          'to' => 'inet@microsoft.com',
          'from' => 'mef@mememe.com',
          'action' => 'The uncleanable file is deleted.'
        };

[download]
Like the solutions above, this will give you a hash for each record to make it easy to insert into a database. But, you'll notice that I do almost no work to achieve the result. There are really only 2 lines of Perl (the codeblocks in the grammar) that actually do anything here (aside from the split)! It also will handle any new message types if they are ever added to your log.

And, I'm sure it could be even more simple, but I don't think it's too bad for being my first prog with Parse::RecDescent. :)

In reply to Re: virus log parser by joealba
in thread virus log parser by phaedo

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.