First off at the risk of souding like one of them talkng heads at an Academy Awards cermony I just want to thank everybody for their assistance with this thing. I was going nuts with it.
Secondly: I always preach to folks that I teach Perl to that one of the first rules of dealing with data is make sure you understand the data before you try to parse it. I should have listened to my own sermons as I belatedly noticed that there were two different line formats depending on if it was a TCP denial or an ICMP denial.
Secondly chunlou, enlil, chromatic and eric256 all suggested that I make my code more readable by using the qr construction. Advice that I heeded and this contributed greatly to solving this. Both because it was more readable and because I ended up not re-typing the same regexes and fat fingering them.
For the tcp deny the record looked like (just to review):
and so to look for it I set up the following:Aug 21 19:00:36 [1.1.1.3.200.125] 410381: Aug 21 23:00:35 UTC: %SEC-6- +IPACCESSLOGP: list 101 denied tcp 10.161.24.153(3988) -> 10.158.24.10 +(135), 1 packet
and I actually look for the packet thusly:my $dtg=qr([A-Z][a-z]+\s+\d+\s+\d+:\d+:\d+); my $thingy=qr([\.\d]+); my $tz=qr([A-Z]{3}); my $ipaddr=qr(\d+\.\d+\.\d+\.\d+); my $timestamp = qr/[A-Z][a-z]+ \d\d \d\d:\d\d:\d\d/; my $address = qr/[\.\d]+/; my $id = qr/\d+/; my $timezone = qr/[A-Z]+/; my $fragger = qr/(\%SEC-6-IPACCESSLOGP|\%SEC-6-IPACCESSLOGDP)/; my $tcp_deny=qr/^($dtg)\s\[$thingy\]\s\d+:\s($dtg)\s$tz:\s$fragger\:\s +list\s(\d+)\sdenied\s(tcp|udp|icmp)\s($ipaddr)\(\d+\)\s\-\>\s($ipaddr +)\(\d+\),\s(\d+)\spacket/;
if ( $line =~ m@$tcp_deny@ ) { ... more stuff below
The second record type looked like:
which used:Aug 21 19:00:36 [1.1.1.3.200.125] 410382: Aug 21 23:00:35 UTC: %SEC-6- +IPACCESSLOGDP: list 101 denied icmp 10.165.4.150 -> 211.95.79.233 (8/ +0), 1 packet
my $icmp_deny=qr/^($dtg)\s\[$thingy\]\s\d+:\s($dtg)\s$tz:\s$fragger\:\ +slist\s(\d+)\sdenied\s(tcp|udp|icmp)\s($ipaddr)\s\-\>\s($ipaddr)\s\(\ +d+\/\d+\),\s(\d+)\spacket/;
That my fellow monks is a tale to tell under Cool Uses for Perl once the script is all done and nice and tidy. It's a mess right now. Just a hint though: It has to do with all these virus attacks going on and how to find the infected machines...
Peter @ Berghold . Net
Sieze the cow! Bite the day!
Nobody expects the Perl inquisition!
Test the code? We don't need to test no stinkin' code!
All code posted here is as is where is unless otherwise stated.
Brewer of Belgian style Ales
In reply to Summary: parsing CISCO ACL logs (was Re: Cisco Log Files: broken REGEX)
by blue_cowdawg
in thread Cisco Log Files: broken REGEX
by blue_cowdawg
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |