NAME

Zeek::Log::Parse - Object-oriented Perl interface for parsing Zeek log files

SYNOPSIS

  use Zeek::Log::Parse;
  
  my $parse = Zeek::Log::Parse->new('/path/to/logfile');
  while ( $fields = $parse->getLine() ) {
    print $fields->{ts}."\n";
  }

ABSTRACT

Perl interface for parsing Zeek logfiles

DESCRIPTION

This library provides an easy and convenient way to parse the log files generated by the Zeek Network Security Monitor.

If the JSON module is installed, this module can also be used to parse Zeek log files that were written in JSON format.

Constructor

The base constructor for Zeek::Log::Parse classes is called new. There are several different ways of calling the constructor, depending on the options you want to set. In a nutshell, one can either pass no argument (data is read from <>); a string argument, which is interpreted as a file name; a file handle which is used to read data from; or an array reference that can use all of these options and set a few more parameter.

new()

The first invocation of the base constructor for Zeek::Log::Parse. No argument is passed. The resulting class reads Zeek log data from <>.

new('/path/to/file')

Passing a string to the constructor for Zeek::Log::Parse will read Zeek log data from the file pointed to. If the file pointed to does not exist or cannot be opened, a fatal error is raised.

new($fh)

Passing a file handle to the constructor for Zeek::Log::Parse will read Zeek log data from the filehandle.

new({ option => value })

Pass a hashref of options to the constructor for Zeek::log::Parse. Options that can be given (in descending order of importance):

fh: Filehandle to be used as data source.
file: Name of file to be used as data source.
diamond: Boolean; if set to true, data is read from <>, if no other data source is given.
empty_as_undef: Boolean; if set to true, getLine() will return empty columns as undef instead of as empty arrayrefs.

FUNCTIONS

getLine(): Read the the line of the input and return the parsed data as a hash. Returns undef when on EOF.
fh(): Return the filehandle data is read from. Returns undef if data is read from <>.
file(): Return the filename data is read from. Returns undef if no filename was given in constructor.
line(): Value of the last line that was read; undef if no line was read yet.
headers(): Hash reference of all headers that were read. Contains, for example, open, fields, types, etc.
headerlines(): Arrayref of all header lines that were read in order.
fields(): Arrayref of all fields present in the input file.

AUTHOR

Johanna Amann, <johanna@icir.org>

COPYRIGHT AND LICENSE

To install Zeek::Log::Parse, copy and paste the appropriate command in to your terminal.

cpanm

cpanm Zeek::Log::Parse

CPAN shell

perl -MCPAN -e shell
install Zeek::Log::Parse

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)