NAME

BuzzSaw::Filter::UserClassifier - A BuzzSaw event filter for classifying users

VERSION

This documentation refers to BuzzSaw::Filter::UserClassifier version 0.12.0

SYNOPSIS

   my @filters = [BuzzSaw::Filter::SSH->new(),
                  BuzzSaw::Filter::Cosign->new(),
                  BuzzSaw::Filter::UserClassifier->new()];

   while ( defined( my $line = $fh->getline ) ) {
     my %event = $parser->parse_line($line);

     my ( $store, @all_tags);
     for my $filter (@filters) {
        my ( $accept, @tags ) = $filter->check(\%event, $store);
        if ($accept) {
          if ( $accept > 0 ) {
             $store = 1;
          }
          push @all_tags, @tags;
        }
     }

     if ($store) {
        # store log entry in DB
     }
   }

DESCRIPTION

This is a Moose class which provides a filter which implements the BuzzSaw::Filter role. It is used to post-process entries where a previous filter in the stack has requested that it be stored into the database. If an entry of interest has a value set for the userid attribute then this module will classify the type of username (root, nonperson, real, others) using the BuzzSaw::UserClassifier module. This module will return a tag with a user_is_ prefix, like user_is_root or user_is_real. This module will not affect whether (or not) the entry is stored into the database. This module is designed to be used at the end of the filter stack so that it can process the results of all filters which might set a value for the userid attribute.

The BuzzSaw project provides a suite of tools for processing log file entries. Entries in files are parsed and filtered into a set of events of interest which are stored in a database. A report generation framework is also available which makes it easy to generate regular reports regarding the events discovered.

ATTRIBUTES

name

The short name of the module. The default is to use the final part of the Perl module name lower-cased (e.g. the name of BuzzSaw::Filter::UserClassifier is userclassifier).

SUBROUTINES/METHODS

( $accept, @tags ) = $filter->check(\%event,$votes)

This method checks to see if any previous filter in the stack has requested that the log entry be stored (the $votes counter). If an entry of interest has a value set for the userid attribute then this module will classify the type of username (root, nonperson, real, others) using the BuzzSaw::UserClassifier module. This module will return a tag with a user_is_ prefix, like user_is_root or user_is_real. This module will not affect whether (or not) the entry is stored into the database. This module is designed to be used at the end of the filter stack so that it can process the results of all filters which might set a value for the userid attribute.

DEPENDENCIES

This module is powered by Moose. This module implements the BuzzSaw::Filter Moose role.

SEE ALSO

BuzzSaw, BuzzSaw::Parser

PLATFORMS

This is the list of platforms on which we have tested this software. We expect this software to work on any Unix-like platform which is supported by Perl.

ScientificLinux6

BUGS AND LIMITATIONS

Please report any bugs or problems (or praise!) to bugs@lcfg.org, feedback and patches are also always very welcome.

AUTHOR

    Stephen Quinney <squinney@inf.ed.ac.uk>

LICENSE AND COPYRIGHT

    Copyright (C) 2013 University of Edinburgh. All rights reserved.

This library is free software; you can redistribute it and/or modify it under the terms of the GPL, version 2 or later.