Binary Log Files

Sometimes it’s not that easy writing programs to deal with log files. Instead of nice, easily parseable text lines, some logging mechanisms produce nasty, gnarly binary files with proprietary formats that can’t be parsed with a single line of Perl. Luckily, Perl isn’t afraid of these miscreants. Let’s look at a few approaches we can take when dealing with these files. We’re going to look at two different examples of binary logs: Unix’s wtmp file and NT/2000’s event logs.

Back in Chapter 3, we touched briefly on the notion of logging in and logging out of a Unix host. Login and logout activity is tracked in a file called wtmp on most Unix variants. It is common to check this file whenever there is a question about a user’s connection habits (e.g., from what hosts does this person usually log in?).

On NT/2000, the event logs play a more generalized role. They are used as a central clearinghouse for logging practically all activity that takes place on these machines including login and logout activity, OS messages, security events, etc. Their role is analogous to the Unix syslog service we mentioned earlier.

Using unpack( )

Perl has a function called unpack( ) especially designed to parse binary and structured data. Let’s take a look at how we might use it to deal with the wtmp files. The format of wtmp differs from Unix variant to Unix variant. For this specific example we’ll look at the wtmp files found on SunOS 4.1.4 and Digital Unix 4.0 because they are pretty ...

Get Perl for System Administration now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.