Binary Log Files
it’s not that easy writing programs to deal with log files.
Instead of nice, easily parseable text lines, some logging mechanisms
produce nasty, gnarly binary files with proprietary formats that
can’t be parsed with a single line of Perl. Luckily, Perl
isn’t afraid of these miscreants. Let’s look at a few
approaches we can take when dealing with these files. We’re
going to look at two different examples of binary logs: Unix’s
wtmp file and NT/2000’s event logs.
Back in Chapter 3, we touched briefly on the
notion of logging in and logging out of a Unix host. Login and logout
activity is tracked in a file called
most Unix variants. It is common to check this file whenever there is
a question about a user’s connection habits (e.g., from what
hosts does this person usually log in?).
On NT/2000, the event logs play a more generalized role. They are used as a central clearinghouse for logging practically all activity that takes place on these machines including login and logout activity, OS messages, security events, etc. Their role is analogous to the Unix syslog service we mentioned earlier.
Using unpack( )
has a function called
unpack( ) especially
designed to parse binary and structured data. Let’s take a look
at how we might use it to deal with the
files. The format of
wtmp differs from Unix
variant to Unix variant. For this specific example we’ll look
wtmp files found on SunOS 4.1.4 and Digital Unix 4.0 because they are pretty ...