.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "WELF 3pm" .TH WELF 3pm "2006-07-23" "Lire 2.1.1" "LogReport's Lire Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Lire::WELF \- Base implementation of a WebTrends(tm) Enhanced Log Format parser .SH "SYNOPSIS" .IX Header "SYNOPSIS" use Lire::WELF; .PP my \f(CW$parser\fR = new Lire::WELF; .PP my \f(CW$welf_rec\fR = \f(CW$parser\fR\->parse( \f(CW$line\fR ); .SH "DESCRIPTION" .IX Header "DESCRIPTION" This module defines an object able to parse WebTrends(tm) Enhanced Log Format. That log format was defined by WebTrends(tm) for its Firewall Suite. It defines an extensible format that is now used by several packet filter and/or proxy firewall. .PP The document describing that format is available from http://www.webtrends.com/partners/welfOverview.htm .PP A list of products/vendor that supports this format can be found at http://www.webtrends.com/partners/firewall.htm .PP You create a \s-1WELF\s0 parser object using the \fInew()\fR method: .PP .Vb 1 \& my $parser = new Lire::WELF(); .Ve .PP To parse a \s-1WELF\s0 record you invoke the \fIparser()\fR method with the line containing the record as parameter: .PP .Vb 1 \& my $rec = $parser\->parse( $line ); .Ve .PP The \f(CW$rec\fR is an hash reference with the \s-1WELF\s0 field name used as keys and the value of the records as values. .PP No value are interpreted or checked in any except for the following: .IP "time" 4 .IX Item "time" The time field will be converted to epoch time .IP "quotation" 4 .IX Item "quotation" The quotation marks used when the value contains spaces are removed. .SS "\s-1WELF\s0 \s-1EXTENSIONS\s0" .IX Subsection "WELF EXTENSIONS" The parser also supports \*(L"extensions\*(R" to the format found in the field. .IP "port" 4 .IX Item "port" We will interpret correctly src and dst fields that have the port embededded in them: .Sp .Vb 1 \& src=192.168.1.1:1037 .Ve .IP "interface" 4 .IX Item "interface" A possible :IFNAME will also be interpreted as the interface name: .Sp .Vb 1 \& dst=192.168.100.10:23:WAN .Ve .IP "timezone" 4 .IX Item "timezone" The time field may contains a time zone identifier: .Sp .Vb 1 \& time="2001\-12\-02 12:34:12 UTC" .Ve .SS "Derived Fields" .IX Subsection "Derived Fields" The parser will generate a few 'derived' to complete the format. .IP "src_port" 4 .IX Item "src_port" Will contain the src port portion of the dst field when SonicWall extensions are used. .IP "dst_port" 4 .IX Item "dst_port" Will contain the interface portion of the dst field when SonicWall extensions are used. .IP "src_if" 4 .IX Item "src_if" Will contain the interface portion of the src field when SonicWall extensions are used. .IP "dst_if" 4 .IX Item "dst_if" Will contain the interface portion of the dst field when SonicWall extensions are used. .SH "AUTHOR" .IX Header "AUTHOR" .Vb 1 \& Francis J. Lacoste .Ve .SH "VERSION" .IX Header "VERSION" \&\f(CW$Id:\fR \s-1WELF\s0.pm,v 1.11 2006/07/23 13:16:30 vanbaal Exp $ .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (C) 2001 Stichting LogReport Foundation LogReport@LogReport.org .PP This file is part of Lire. .PP Lire is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but \s-1WITHOUT\s0 \s-1ANY\s0 \s-1WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0. See the \&\s-1GNU\s0 General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 General Public License along with this program (see \s-1COPYING\s0); if not, check with http://www.gnu.org/copyleft/gpl.html.