I'm trying to split a line from a PIX Firewall log file and put it into
an array.
The log entries look like:
Nov 13 07:28:55 10.0.0.3 %PIX-4-400025: IDS:2154 ICMP ping of death from
123.123.123.123 to 124.124.124.124 on interface outside
Here is the code i've tried:
.............................................................
while ($line = <LOG>) {
if ($line =~ /PIX-4-4000/) { # Match PIX
Message ID Type
@fields = split(/ /, $line); # Populate
@fields with data
$month{$fields[0]}++; #
$day{$fields[0]." ".$fields[1]}++; # Cat Month and
Day
$fields[2] =~ /(\d{2}):/; # Parse
Hour from Time
$ltime{$fields[0]." ".$fields[1]." ".$1}++; # Cat Date and Time
$host{$fields[3]}++;
$pixcode{$fields[4]}++;
............etc
.......................................................................
Obviously, split(/ /, $line) doesn't produce the array I really want.
Here is the format of the log entries to parse.
Month Day Time Host PIXcode IDSCode Protocol Description SourceHost To
DestinationHost On Interface InterfaceName
Here are the string details:
Month : Always Three Letters
Day : May be One or Two Digits. If one Digit, it is preceded by and
extra space. i.e. " 9" or "10"
Time: Always the same format
Host : Sometimes IP number, Sometimes Hostname
PIXCode : Always %PIX-4-4000xx:
IDSCode : Always IDS:xxxx
Protocol : If exists, followed by space, Sometimes not there at all
Description : Various string lengths (2 To 6 words)
SourceHost : Always an IP Number
To : Always exists
DestinationHost : Always an IP Number
On Interface : Always exists
InterfaceName : Always One Word
Thanks!
Matt Richter
