Ossec::Log::Parse - Object-oriented Perl interface for parsing ossec alert files
### Sample alert ### # # ** Alert 1443175627.1028: mail - syslog,fts,authentication_success # 2015 Sep 25 06:07:07 (i7dev) 10.0.0.4->/var/log/auth.log # Rule: 10100 (level 4) -> 'First time user logged in.' # Src IP: 10.0.0.2 # User: phirelight # Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 use Ossec::Log::Parse; my $parse = Ossec::Log::Parse->new('/path/to/logfile'); while ( $events = $parse->getAlert() ) { print $alert->{ts}; # 1443175627.1028 print $alert->{ts.human}; # 2015 Sep 25 06:07:07 print $alert->{type}; # mail print $alert->{group}; # syslog,fts,authentication_success print $alert->{agent.name}; # i7dev print $alert->{agent.ip}; # 10.0.0.4 print $alert->{location}; # /var/log/auth.log print $alert->{rule.id}; # 10100 print $alert->{rule.level}; # 4 print $alert->{rule.comment}; # First time user logged in print $alert->{full_log}; # Src IP: 10.0.0.2 # User: phirelight # Sep 25 06:07:06 i7dev sshd[17673]: Accepted publickey for phirelight from 10.0.0.2 port 44857 ssh2: RSA 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 }
Perl interface for parsing ossec alert files
This library provides an easy and convenient way to parse the log files generated by ossec.
The base constructor for ossec::log::parse classes is called new. There are several different ways of calling the constructor, depending on the options you want to set. In a nutshell, one can either pass no argument (data is read from <>); a string argument, which is interpreted as a file name; a file handle which is used to read data from; or an array reference that can use all of these options and set a few more parameter.
<>
The first invocation of the base constructor for ossec::log::parse. No argument is passed. The resulting class reads ossec alert log data from <>.
Passing a string to the constructor for ossec::log::parse will read ossec alert log data from the file pointed to. If the file pointed to does not exist or cannot be opened, a fatal error is raised.
Passing a file handle to the constructor for ossec::log::parse will read ossec alert log data from the filehandle.
Pass a hashref of options to the constructor for ossec::log::parse. Options that can be given (in descending order of importance):
Filehandle to be used as data source.
Name of file to be used as data source.
Boolean; if set to true, data is read from <>, if no other data source is given.
Read input and return the parsed event data as a hash. Returns undef when on EOF.
Hash includes: ts, ts.human, type, group, agent.name, agent.ip, location, rule.id, rule.level, rule.comment, full_log
Return the filehandle data is read from. Returns undef if data is read from <>.
Return the filename data is read from. Returns undef if no filename was given in constructor.
Stefan Amyotte, <samyotte@phirelight.com>
This work is a modified version of Johanna Amann repo Perl-Bro-Log-Parse.
Copyright 2015 by Stefan Amyotte This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
To install ossec::log::parse, copy and paste the appropriate command in to your terminal.
cpanm
cpanm ossec::log::parse
CPAN shell
perl -MCPAN -e shell install ossec::log::parse
For more information on module installation, please visit the detailed CPAN module installation guide.