Ossec::Log::Parse - Object-oriented Perl interface for parsing Ossec alert files
### Sample alert ###
#
# ** Alert 1443175627.1028: mail - syslog,fts,authentication_success
# 2015 Sep 25 06:07:07 (i7dev) 10.0.0.4->/var/log/auth.log
# Rule: 10100 (level 4) -> 'First time user logged in.'
# Src IP: 10.0.0.2
# User: phirelight
# Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
use Ossec::Log::Parse;
my $parse = Ossec::Log::Parse->new('/path/to/logfile');
while ( $events = $parse->getAlert() ) {
print $alert->{ts};
# 1443175627.1028
print $alert->{ts.human};
# 2015 Sep 25 06:07:07
print $alert->{type};
# mail
print $alert->{group};
# syslog,fts,authentication_success
print $alert->{agent.name};
# i7dev
print $alert->{agent.ip};
# 10.0.0.4
print $alert->{location};
# /var/log/auth.log
print $alert->{rule.id};
# 10100
print $alert->{rule.level};
# 4
print $alert->{rule.comment};
# First time user logged in
print $alert->{full_log};
# Src IP: 10.0.0.2
# User: phirelight
# Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
}Perl interface for parsing Ossec alert files
This library provides an easy and convenient way to parse the log files generated by Ossec.
The base constructor for Ossec::Log::Parse classes is called new. There are several different ways of calling the constructor, depending on the options you want to set. In a nutshell, one can either pass no argument (data is read from <>); a string argument, which is interpreted as a file name; a file handle which is used to read data from; or an array reference that can use all of these options and set a few more parameter.
- new()
-
The first invocation of the base constructor for Ossec::Log::Parse. No argument is passed. The resulting class reads Ossec alert log data from
<>. - new('/path/to/file')
-
Passing a string to the constructor for Ossec::Log::Parse will read Ossec alert log data from the file pointed to. If the file pointed to does not exist or cannot be opened, a fatal error is raised.
- new($fh)
-
Passing a file handle to the constructor for Ossec::Log::Parse will read Ossec alert log data from the filehandle.
- new({ option => value })
-
Pass a hashref of options to the constructor for Ossec::Log::Parse. Options that can be given (in descending order of importance):
- fh
-
Filehandle to be used as data source.
- file
-
Name of file to be used as data source.
- diamond
-
Boolean; if set to true, data is read from
<>, if no other data source is given.
- getAlert()
-
Read input and return the parsed event data as a hash. Returns undef when on EOF.
Hash includes: ts, ts.human, type, group, agent.name, agent.ip, location, rule.id, rule.level, rule.comment, full_log
- fh()
-
Return the filehandle data is read from. Returns undef if data is read from
<>. - file()
-
Return the filename data is read from. Returns undef if no filename was given in constructor.
Stefan Amyotte, <samyotte@phirelight.com>
This work is a modified version of Johanna Amann repo Perl-Bro-Log-Parse.
Copyright 2015 by Stefan Amyotte This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.