CRAWDAD tools/process/syslog/syslog_parser

A tool for parsing Cisco and Aruba 802.11 syslog traces.syslog_parser is a script to parse the syslog traces from Cisco VxWorks, Cisco IOS and Aruba access points. This script was designed to parse the syslog traces in the dartmouth/campus/syslog tracesets, but should be useful for other traces as well.Lastmodified :2006-11-01Dataname :tools/process/syslog/syslog_parserFile :syslog_parser-v20061101.tar.gzReleasedate :2006-11-01Change :the initial versionWebsite :http://www.crawdad.org/tools/process/syslog/syslog_parserKeyword :syslog 802.11License :# cisco_aruba_syslog_parser.pl: a script to parse syslogs # # Author: Tristan Henderson # version: v. 2006-11-01 # Copyright (c) 2006 Dartmouth College # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License Version 2 as published by # the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for # more details. # # You should have received a copy of the GNU General Public License along with # this program; if not, write to the Free Software Foundation, Inc., 51 # Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.Support :Please send your suggestions, bug reports and fixes to crawdad@crawdad.orgBuild :cisco_aruba_syslog_parser.pl uses the Time::Local and Getopt::Std perl modules. If your perl does not include these modules, please install a newer version of perl before running the cisco_aruba_syslog_parser.pl script.Output :cisco_aruba_syslog_parser.pl parses syslog traces (see "usage" for the supported syslogs) and extracts the following information: timestamp, client MAC address, message, AP MAC addressParameters :See "usage" for details about the parameters needed for each tool.Usage :This is a script to parse the following syslog traces: - Cisco VxWorks - Cisco IOS - Aruba: note that we don't really know what the Aruba messages mean, but I assume that "station up" means associate and "station down" means disassociate. Since Aruba messages are received from a mobility controller, not an AP, they may not correspond directly to 802.11 associate/disassociate. Note that we don't parse all messages, just ones that were interesting to us. $./cisco_aruba_syslog_parser.pl -h usage: ./cisco_aruba_syslog_parser.pl [OPTION] [SYSLOG] -y <year> define a year for syslogs # syslog messages don't contain the year. # you can pass the year using -y <year>. # otherwise we assume the current year -t don't reformat time as a Unix timestamp -r show the reason for an event (where available) -b <file> file containing APs to ignore -d output debug info to STDERR -a <file> file containing Aruba APs names # for internal use -h show this help An example VxWorks syslog record: Jun 21 05:00:16 AdmBldg25AP1 AdmBldg25AP1 (Info): Station 0006257c081a Associated An example IOS syslog record: Jun 21 05:00:09 AcadBldg34AP2 2698: AcadBldg34AP2: Jun 21 09:00:09: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000d93737dab Reassociated KEY_MGMT[NONE] An example aruba syslog record: 1125561901 Sep 1 04:05:01 50.110.24.0 2005 [50.110.24.131] authmgr[643]: <INFO> station down <00:02:2d:46:1f:62> bssid 00:0b:86:5c:e5:f9, essid Kiewit Wireless, vlan 2834, ingress 0x10c3 (tunnel 99), u_encr 1, m_encr 1, loc 167.3.2 slotport 0xfc3Example :$ ./cisco_aruba_syslog_parser.pl 20010411.vxworks.cisco | head 986990216 0040961e58be authenticated AdmBldg19AP3 986990247 0040961e58be authenticated AdmBldg19AP3 986990247 0040961e58be associated AdmBldg19AP3 986990293 0040961e58be authenticated AdmBldg19AP3 986990364 0040961e58be authenticated AdmBldg19AP3 986990484 0040961e58be authenticated AdmBldg19AP3 986991490 0040961e58be authenticated AdmBldg19AP3 986991491 00601db0635a authenticated AdmBldg16AP1 986991491 00601db0635a associated AdmBldg16AP1 986991532 0040961e58be authenticated AdmBldg19AP3 $ ./cisco_aruba_syslog_parser.pl 20040630.IOS.cisco | head 1088568001 0009b7f3ff1f reassociated AcadBldg4AP3 1088568003 00022d12c361 reassociated ResBldg69AP6 1088568003 00022d12c361 roamed ResBldg69AP4 1088568003 00022d12c361 disassociated ResBldg69AP4 1088568006 00022d12c361 authenticated ResBldg69AP4 1088568006 00022d12c361 associated ResBldg69AP4 1088568006 00022d12c361 roamed ResBldg69AP6 1088568008 00904b86f12a disassociated ResBldg44AP4 1088568013 00022dd9b5b2 disassociated SocBldg3AP2 1088568016 0009b7f3ff1f reassociated ResBldg97AP6 $ ./cisco_aruba_syslog_parser.pl 060831.072842.aruba | head 1157009322 001124567039 associated 98.1.2 1157009335 000d93e3e675 associated 167.3.3 1157009342 0016cff28931 associated 68.3.1 1157009344 00131ab19f7c disassociated 188.4.2 1157009344 00131ab19f7c associated 188.3.1 1157009349 001302f5e3e3 disassociated 119.1.1 1157009363 000d28120f0a disassociated 23.3.11 1157009363 000d28120f0a associated 23.3.1 1157020082 0013024da937 associated 119.4.1 1157020093 00131ab19f7c disassociated 188.3.1

解析Cisco和Aruba 802.11系统日志轨迹的工具。syslog_parser是一个用于解析来自Cisco VxWorks、Cisco IOS和Aruba接入点（AP）系统日志轨迹的脚本。该脚本最初设计用于解析dartmouth/campus/syslog轨迹集中的系统日志轨迹，但也适用于其他轨迹。 最后修改时间：2006-11-01 数据名称：tools/process/syslog/syslog_parser 文件：syslog_parser-v20061101.tar.gz 发布日期：2006-11-01 变更说明：初始版本 网站：http://www.crawdad.org/tools/process/syslog/syslog_parser 关键词：syslog、802.11 # cisco_aruba_syslog_parser.pl: 一个解析系统日志的脚本 # # 作者：Tristan Henderson # 版本：v. 2006-11-01 # 版权所有 (c) 2006 达特茅斯学院 # # 本程序是自由软件；您可以根据自由软件基金会发布的GNU通用公共许可证第2版（GNU General Public License Version 2）的条款重新发布和/或修改它。 # # 本程序的发布旨在希望它能有用，但不提供任何担保；甚至没有隐含的适销性或特定用途适用性的担保。有关详情，请参见GNU通用公共许可证。 # # 您应已收到随本程序一同提供的GNU通用公共许可证副本；如果没有，请写信至Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA。 支持：请将建议、错误报告及修复方案发送至crawdad@crawdad.org 构建：cisco_aruba_syslog_parser.pl使用Time::Local和Getopt::Std Perl模块。 如果您的Perl未包含这些模块，请在运行cisco_aruba_syslog_parser.pl脚本前安装较新版本的Perl。 输出：cisco_aruba_syslog_parser.pl解析系统日志轨迹（支持的日志类型参见"usage"）并提取以下信息： 时间戳、客户端MAC地址、消息内容、接入点（AP）MAC地址 参数：各工具所需参数详情参见"usage"。 使用说明：本脚本用于解析以下系统日志轨迹： - Cisco VxWorks - Cisco IOS - Aruba：请注意，我们并不完全了解Aruba消息的含义，但假设"station up"表示关联（associate），"station down"表示解除关联（disassociate）。由于Aruba消息来自移动控制器（mobility controller）而非接入点（AP），它们可能并不直接对应802.11的关联/解除关联操作。 请注意，我们并未解析所有消息，仅解析了对我们有意义的部分。 $./cisco_aruba_syslog_parser.pl -h usage: ./cisco_aruba_syslog_parser.pl [OPTION] [SYSLOG] -y <year> 为系统日志定义年份 # 系统日志消息不包含年份。 # 您可以通过-y <year>传递年份。 # 否则默认使用当前年份 -t 不将时间重新格式化为Unix时间戳（Unix timestamp） -r 显示事件原因（若可用） -b <file> 包含需忽略的AP列表的文件 -d 向STDERR输出调试信息 -a <file> 包含Aruba AP名称的文件 # 内部使用 -h 显示本帮助信息 VxWorks系统日志记录示例： Jun 21 05:00:16 AdmBldg25AP1 AdmBldg25AP1 (Info): Station 0006257c081a Associated IOS系统日志记录示例： Jun 21 05:00:09 AcadBldg34AP2 2698: AcadBldg34AP2: Jun 21 09:00:09: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 000d93737dab Reassociated KEY_MGMT[NONE] Aruba系统日志记录示例： 1125561901 Sep 1 04:05:01 50.110.24.0 2005 [50.110.24.131] authmgr[643]: <INFO> station down <00:02:2d:46:1f:62> bssid 00:0b:86:5c:e5:f9, essid Kiewit Wireless, vlan 2834, ingress 0x10c3 (tunnel 99), u_encr 1, m_encr 1, loc 167.3.2 slotport 0xfc3 示例： $ ./cisco_aruba_syslog_parser.pl 20010411.vxworks.cisco | head 986990216 0040961e58be authenticated AdmBldg19AP3 986990247 0040961e58be authenticated AdmBldg19AP3 986990247 0040961e58be associated AdmBldg19AP3 986990293 0040961e58be authenticated AdmBldg19AP3 986990364 0040961e58be authenticated AdmBldg19AP3 986990484 0040961e58be authenticated AdmBldg19AP3 986991490 0040961e58be authenticated AdmBldg19AP3 986991491 00601db0635a authenticated AdmBldg16AP1 986991491 00601db0635a associated AdmBldg16AP1 986991532 0040961e58be authenticated AdmBldg19AP3 $ ./cisco_aruba_syslog_parser.pl 20040630.IOS.cisco | head 1088568001 0009b7f3ff1f reassociated AcadBldg4AP3 1088568003 00022d12c361 reassociated ResBldg69AP6 1088568003 00022d12c361 roamed ResBldg69AP4 1088568003 00022d12c361 disassociated ResBldg69AP4 1088568006 00022d12c361 authenticated ResBldg69AP4 1088568006 00022d12c361 associated ResBldg69AP4 1088568006 00022d12c361 roamed ResBldg69AP6 1088568008 00904b86f12a disassociated ResBldg44AP4 1088568013 00022dd9b5b2 disassociated SocBldg3AP2 1088568016 0009b7f3ff1f reassociated ResBldg97AP6 $ ./cisco_aruba_syslog_parser.pl 060831.072842.aruba | head 1157009322 001124567039 associated 98.1.2 1157009335 000d93e3e675 associated 167.3.3 1157009342 0016cff28931 associated 68.3.1 1157009344 00131ab19f7c disassociated 188.4.2 1157009344 00131ab19f7c associated 188.3.1 1157009349 001302f5e3e3 disassociated 119.1.1 1157009363 000d28120f0a disassociated 23.3.11 1157009363 000d28120f0a associated 23.3.1 1157020082 0013024da937 associated 119.4.1 1157020093 00131ab19f7c disassociated 188.3.1