Re: CISCO Log file pattern matching (again!)

i would do it like this...

while (<DATA>) {
        next unless index '%SEC-6-IPACCESSLOG', $_;
        @f = split /(?:[:,]*\s+:?|\/)/;
        print join($/, @f), $/;
}

__DATA__
Aug 22 11:46:27 masterudp003210uds.netops.msnyuhealth.org 148526: Aug 
+22 15:46:26 UTC: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.4.12.2
+ 53 -> 10.7.151.48 :8/0:, 1 packet
[download]


$ perl log.pl 
Aug
22
11:46:27
masterudp003210uds.netops.msnyuhealth.org
148526
Aug
22
15:46:26
UTC
%SEC-6-IPACCESSLOGDP
list
101
denied
icmp
10.4.12.2
53
->
10.7.151.48
8
0
1
packet

inserting various checks on the fields after splice or shifting off of the front (probably a switch of some sort on the %PROCESS doing the logging)

Comment on Re: CISCO Log file pattern matching (again!) Download Code

Replies are listed 'Best First'.
Re: Re: CISCO Log file pattern matching (again!) by blue_cowdawg (Monsignor) on Aug 25, 2003 at 18:24 UTC
The main reason I do not use split to work these log lines is the fact that I am actually doing stuff based on the matching that I am doing. As well I am hopeing to use the date stamps. Overall what I am developing is a script to search for hosts around three campuses (20,000 hosts+) that may or may not be infected with the latest round of viruses based on traffic patterns. Peter @ Berghold . Net Sieze the cow! Bite the day! Nobody expects the Perl inquisition! Test the code? We don't need to test no stinkin' code! All code posted here is as is where is unless otherwise stated. Brewer of Belgian style Ales	[reply]
Re: Re: Re: CISCO Log file pattern matching (again!) by zengargoyle (Deacon) on Aug 25, 2003 at 19:17 UTC
using next/split on a mere 12 hours of logs => 2m12s. using a regex to attempt to match lines => 2m43s. not a lot, but it grows the bigger the files get. once the line is split... `my @dateinfo = splice @f, 0, 3; ...` [download] trust me, it will be faster to split. especially if your logs get large.	[reply] [d/l]