Kevin R wrote:
>
> I am writing a perl script to parse some firewall logs and I think that
> there may be a better way of doing somwthing than the one that I know.
>
> Syslog messages look as follows (IP addresses have been changed to protect
> the innocent)
>
> %PIX-6-106015: Deny TCP (no connection) from 1.1.1.1/80 to 2.2.2.2/2699
> flags PSH ACK on interface outside
>
> The info that I want to pull out of that line is source IP, source port,
> dest IP, dest port and flags( if any). The problem is that the flags can
> have from 0 to 6 values ( SYN ACK PSH URG RST FIN ). I have the following
> code that does it, but it is not very inefficient.
>
> open LOGFILE
> while (<LOGFILE>) {
> s/\// /g;
> @line = map { split ' ',$_} $_;
That does exactly the same as:
@line = split;
> print "$line[6]";
> print "$line[7]";
> print "$line[9]";
> print "$line[10]";
Those four lines could also be written as:
print @line[6,7,9,10];
> if ( $line[15] ne on ) {
> print "$line[15] ";
> if ( $line[16] ne on ) {
> print "$line[16] ";
> if ( $line[17] ne on ) {
> print "$line[17] ";
> if ( $line[18] ne on ) {
> print "$line[18] ";
> if ( $line[19] ne on ) {
> print "$line[19] ";
> if ( $line[20] ne on ) {
> print "$line[20] ";
> if ( $line[21] ne on ) {
> print "$line[21] ";
> }
> }
> }
> }
> }
> }
> }
>
> I gues I am just looking for better ways to parse this line. Does any one
> have any ideas?
This should do what you want:
while ( <LOGFILE> ) {
my ( $src_ip, $src_port ) = /from\s+(\d+\.\d+\.\d+\.\d+)\/(\d+)/;
my ( $dst_ip, $dst_port ) = /to\s+(\d+\.\d+\.\d+\.\d+)\/(\d+)/;
my ( $flags ) = /flags\s+(.+?)\s+on interface/;
print "$src_ip $src_port $dst_ip $dst_port $flags\n";
}
John
--
use Perl;
program
fulfillment
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
