Grabbing a Username from an Unfinished Log File

Dru has asked for the wisdom of the Perl Monks concerning the following question:

Greetings Monks,

I'm in need of your assistance once again. I have the below code. I am trying to match a username to an ip address if that person had that ip at the given time. All is well when there is a definite start and stop entry in the log, but sometimes someone starts and does not stop until the next days log. What would be a good way to obtain these users?

Thanks
Dru

#!/usr/bin/perl -w
 
use strict;
 
my $time = '02:42:10';
my $ip = '192.168.201.57';
my ($ace_start_time,$ace_stop_time,$ace_user,$user);
 
while (<DATA>){
  if (/\b$ip\b/){
    if (/Start/){
      ($ace_start_time,$ace_user) = (split/,/)[1,2];
          
       # What I tried to use, but doesn't work since it 
       # will grab the first start entry
       if ($time gt $ace_start_time){
        $user = $ace_user;
        print "$user had $ip at this time\n";
        last;
       }
      }
     elsif (/Stop/){
      ($ace_stop_time,$ace_user) = (split/,/)[1,2];
     }
     if ($ace_start_time && $ace_stop_time){
      if ( ($time gt $ace_start_time) && ($time lt $ace_stop_time) ){
        $user = $ace_user;
        last;
      }
     }
   }
 }
}
 
__DATA__
10/26/2004,00:02:41,jdoe,VPN_General,10.0.218.253,Stop,3D70FA44,3559,F
+ramed,PPP,390032,3722000,4120,5306,192.168.201.57,20824,192.168.17.25
+2  
10/26/2004,00:03:42,bsmith,VPN_General,10.0.76.203,Start,3D70FA86,,Fra
+med,PPP,,,,,192.168.201.57,20925,192.168.17.252                      
+   
10/26/2004,00:23:03,bsmith,VPN_General,10.0.76.203,Stop,3D70FA86,1161,
+Framed,PPP,1136608,8358544,8534,10609,192.168.201.57,20925,192.168.17
+.252
10/26/2004,00:23:16,syoung,VPN_General,10.0.132.222,Start,3D70FA99,,Fr
+amed,PPP,,,,,192.168.201.57,20944,192.168.17.252
10/26/2004,02:34:44,syoung,VPN_General,10.0.132.222,Stop,3D70FA99,7886
+,Framed,PPP,432752,497712,2888,2665,192.168.201.57,20944,192.168.17.2
+52
10/26/2004,02:34:52,lgreen,VPN_General,10.0.202.214,Start,3D70FB46,,Fr
+amed,PPP,,,,,192.168.201.57,21153,192.168.17.252
10/26/2004,02:39:04,lgreen,VPN_General,10.0.202.214,Stop,3D70FB46,253,
+Framed,PPP,14848,11552,160,111,192.168.201.57,21153,192.168.17.252
10/26/2004,02:40:18,cred,VPN_General,10.0.207.7,Start,3D70FB4A,,Framed
+,PPP,,,,,192.168.201.57,21160,192.168.17.252
[download]

Comment on Grabbing a Username from an Unfinished Log File Download Code

Replies are listed 'Best First'.
Re: Grabbing a Username from an Unfinished Log File by Fletch (Bishop) on Oct 28, 2004 at 13:16 UTC
You're probably going to have to parse both days' logs. That or do something like consolidating the information into a database every day and then query that for start / stop times.	[reply]
Re: Grabbing a Username from an Unfinished Log File by Limbic~Region (Chancellor) on Oct 28, 2004 at 14:15 UTC
Dru, You might have to also consider what to do if they don't have a "Start" (the IP was already taken at the start of the log). The following code should do what you want though it isn't very elegant. Read more... (3 kB) Cheers - L~R	[reply] [d/l]
Re: Grabbing a Username from an Unfinished Log File by ides (Deacon) on Oct 28, 2004 at 13:43 UTC
Yeah you'll need to put in a test so that if you find the stop time before finding a start, that you open and spin through the previous days file. Frank Wiles <frank@wiles.org> http://www.wiles.org	[reply]
Re: Grabbing a Username from an Unfinished Log File by TedPride (Priest) on Oct 29, 2004 at 10:08 UTC
Well, you could keep track of which users are open from the previous log and put a Start statement for each of those at the beginning of the new log. Then all you have to do is look in the new log for a Start with no Stop between it and the first log message with a timestamp after the time you're looking for. You have to assume that some users might be logged in for more than one log file period, or that the log file might not yet contain a Stop (if they're still logged in).	[reply]