CODEWITHSUNDEEP
perldovecot
Bitmap
Bitmap

Reputation: 12538

mailog parsing using perl

I have a mailog file in /var/log/mailog. The content structure is as shown below:

Feb 13 10:13:24 mailer dove: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=::ffff:14.012.251.125, lip=::ffff:33.01.121.12.80
Feb 13 10:13:25 mailer dove: imap-login: Disconnected: rip=::ffff:10.100.2.10, lip=::ffff:33.01.121.12.81
Feb 13 10:13:25 mailer dove: pop3-login: Disconnected: rip=::ffff:10.100.2.10, lip=::ffff:33.01.121.12.81
Feb 13 10:13:25 mailer dove: pop3-login: Disconnected: rip=::ffff:10.100.2.10, lip=::ffff:33.01.121.12.80
Feb 13 10:13:25 mailer dove: imap-login: Disconnected: rip=::ffff:10.100.2.10, lip=::ffff:33.01.121.12.80
Feb 13 10:13:26 mailer dove: POP3([email protected]): Disconnected: Logged out top=0/0, retr=0/0, del=0/24, size=187461
Feb 13 10:13:26 mailer dove: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=::ffff:14.012.251.125, lip=::ffff:33.01.121.12.80
Feb 13 10:13:26 mailer dove: POP3([email protected]): Disconnected for inactivity top=0/0, retr=0/0, del=0/32, size=473758028
Feb 13 10:13:26 mailer dove: POP3([email protected]): Disconnected for inactivity top=0/0, retr=0/0, del=0/9, size=140778365
Feb 13 10:13:26 mailer dove: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=::ffff:14.012.251.125, lip=::ffff:33.01.121.12.80
Feb 13 10:13:28 mailer dove: POP3([email protected]): Disconnected: Logged out top=0/0, retr=1/8336, del=1/1, size=8319
Feb 13 10:13:28 mailer dove: pop3-login: Login: user=<[email protected]>, method=PLAIN, rip=::ffff:21.254.145.12, lip=::ffff:33.01.121.12.

I want to be able to parse this using perl to extract and group the number of occurrence a user has appeared in the log and sort it with the highest size on the top.

I have tried below, but this only prints every user;

perl -ne 
 '$l{$2}=$1 if /^(.{15}) .* imap-login: 
  Login: user=<([^>]+)>/; END 
  { 
    print "$_ last imap-login: $l{$_}\n" 
    for keys %l 
  }' /var/log/maillog

Can you help me tweak this script.

Upvotes: 1

Views: 441

Answers (1)

Gilles Qu&#233;not
Gilles Qu&#233;not

Reputation: 184955

Try doing this :

perl -lne '
    $h{$1}++ if /imap-login:\s+Login:\s+user=<([^>]+)>/;
    END{
        foreach my $key (sort { $h{$a} <=> $h{$b} } keys(%h)) {
            print $key, " ", $h{$key}
        }
    }
' /var/log/mail.log

EDIT

If you'd like to add access time, work around this :

perl -wlne '
    do{
        $h{$2}{inc}++;
        $h{$2}{time}="$2";
    } if /^(\w+\s+\d+\s+\d+:\d+:\d+).*?Login:\s+user=<([^>]+)>/;
    END{
        use Data::Dumper;
        print Dumper \%h;
    }
'

You just have to parse the HASH.

Upvotes: 3

Related Questions