[JaxPM] syslog analyzing
j proctor
jproctor at oit.umass.edu
Wed Apr 5 17:20:35 CDT 2000
On the jacksonville-pm-list; Jax.PM'er j proctor <jproctor at oit.umass.edu> wrote -
> I want to use perl to emulate the syslog feature that just tells you "Last
> message repeated 5 times", but not just when they are one after
> another. Even when the times are spread out, I could say it a couple ways
>
> way #1: Message "zeus PAM_pwdb[19196]: (su) session opened
> for user root by nate(uid=501)" reported at 14:22:33, 14:40:29, 14:55:21
>
> way #2: Message "zeus PAM_pwdb[19196]: (su) session opened for user root
> by nate(uid=501)" reported 3 times.
for each hostname, hash with the key as everything *but* the time, and
append times to the values. That is, iterate over something like:
$zeus{$event} .= ", $timestamp";
On successive(-ish) passes through the loop, you should see:
$event $timestamp
-------------------------------------------------- ----------
(su) session opened for user root by nate(uid=501) 14:22:33
(su) session opened for user root by nate(uid=501) 14:40:29
(su) session opened for user root by nate(uid=501) 14:55:21
At the end, s/^, // off all hash values before printing.
It's quick-and-dirty, but for logs of the size you're talking about, it'll
work just fine as long as the event entries are the same. If they're not
(or if you're expecting a change in PID or something like that), then you
can work out rules for what you want matched as the same class of event,
and do a regex thang. :)
Hope this helps.
j
Jax.PM Moderator's Note:
This message was posted to the Jacksonville Perl Monger's Group listserv.
The group manager can be reached at -- owner-jacksonville-pm-list at pm.org
to whom send all praises, complaints, or comments...
More information about the Jacksonville-pm
mailing list