如何使用pyparsing解析syslog消息

Question

我有类似下面的系统日志。

date = 2015-10-08 time = 16：03：26 devname = D1_FIG device_id = ID300B3908601UID log_id = 0021000002 type = traffic subtype = allowed pri = notice vd = root src = 157.56.15.15 src_port = 3584 src_int =“port4 “dst = 211.16.12.55 dst_port = 80 dst_int =”WLN_200“SN = 2775431942 status = accept policyid = 430 dst_country =”英国，英国“src_country =”英国，英国“dir_disp = org tran_disp = dnat tran_ip = 12.15 .7.17 tran_port = 80 service = HTTP proto = 6 duration = 120 sent = 132 rcvd = 92 sent_pkt = 3 rcvd_pkt = 2

我想使用像这样的pyparsing来解析这个日志。

{"date", "2015-10-08"}
{"time", "16:03:26"}
{"devname", "D1_FIG"}
{"device_id", "ID300B3908601UID"}
....
{"src", "157.56.15.15"}
....
{"dst_country", "United Kingdom, Great Britain"}
....

源代码是这样的。

from pyparsing import *

origin_str = "date=2015-10-08 time=16:03:26 devname=D1_FIG device_id=ID300B3908601UID log_id=0021000002 type=traffic subtype=allowed pri=notice vd=root src=157.56.15.15 src_port=3584 src_int=\"port4\" dst=211.16.12.55 dst_port=80 dst_int=\"WLN_200\" SN=2775431942 status=accept policyid=430 dst_country=\"United Kingdom, Great Britain\" src_country=\"United Kingdom, Great Britain\" dir_disp=org tran_disp=dnat tran_ip=12.15.7.17 tran_port=80 service=HTTP proto=6 duration=120 sent=132 rcvd=92 sent_pkt=3 rcvd_pkt=2"

date_s = Word(nums, nums+'-')
time_s = Word(nums, nums+':')
identifier = Word(alphas, alphanums+'_') | date_s | time_s
equal = Literal("=").suppress()
KeyNValue = identifier.setResultsName("lhs") + equal + identifier.setResultsName("rhs")

for srvrtokens,startloc,endloc in KeyNValue.scanString(origin_str):
    print srvrtokens

这是我到目前为止所做的：

['date', '2015-10-08']
['time', '16']
['devname', 'FW_IDC1']
['device_id', 'FG300B3908601477']
['log_id', '0021000002']
['type', 'traffic']
['subtype', 'allowed']
['pri', 'notice']
['vd', 'root']
['src', '147']
['src_port', '58979']
['dst', '210']
['dst_port', '80']
['SN', '2770251942']
['status', 'accept']
['policyid', '430']
['dir_disp', 'org']
['tran_disp', 'dnat']
['tran_ip', '172']
['tran_port', '80']
['service', 'HTTP']
['proto', '6']
['duration', '120']
['sent', '132']
['rcvd', '92']
['sent_pkt', '3']
['rcvd_pkt', '2']

但我不知道如何解析“time”和“dst_country”字符串。

Answer 1

此程序在日志字符串中生成dict个数据。

from pyparsing import *
from pprint import pprint

origin_str = "date=2015-10-08 time=16:03:26 devname=D1_FIG device_id=ID300B3908601UID log_id=0021000002 type=traffic subtype=allowed pri=notice vd=root src=157.56.15.15 src_port=3584 src_int=\"port4\" dst=211.16.12.55 dst_port=80 dst_int=\"WLN_200\" SN=2775431942 status=accept policyid=430 dst_country=\"United Kingdom, Great Britain\" src_country=\"United Kingdom, Great Britain\" dir_disp=org tran_disp=dnat tran_ip=12.15.7.17 tran_port=80 service=HTTP proto=6 duration=120 sent=132 rcvd=92 sent_pkt=3 rcvd_pkt=2"

key = Word(alphas, alphanums+'_')
value = quotedString | Word(printables)
equal = Literal("=").suppress()
KeyNValue = key + equal + value

result = dict(srvtokens for srvtokens,_,_ in KeyNValue.scanString(origin_str))
assert len(result) == origin_str.count('=')

pprint(result)

结果：

{'SN': '2775431942',
 'date': '2015-10-08',
 'device_id': 'ID300B3908601UID',
 'devname': 'D1_FIG',
 'dir_disp': 'org',
 'dst': '211.16.12.55',
 'dst_country': '"United Kingdom, Great Britain"',
 'dst_int': '"WLN_200"',
 'dst_port': '80',
 'duration': '120',
 'log_id': '0021000002',
 'policyid': '430',
 'pri': 'notice',
 'proto': '6',
 'rcvd': '92',
 'rcvd_pkt': '2',
 'sent': '132',
 'sent_pkt': '3',
 'service': 'HTTP',
 'src': '157.56.15.15',
 'src_country': '"United Kingdom, Great Britain"',
 'src_int': '"port4"',
 'src_port': '3584',
 'status': 'accept',
 'subtype': 'allowed',
 'time': '16:03:26',
 'tran_disp': 'dnat',
 'tran_ip': '12.15.7.17',
 'tran_port': '80',
 'type': 'traffic',
 'vd': 'root'}