Created: 2011-07-08 21:04
Updated: 2018-05-25 01:29



Parse::Syslog::Line - Simple syslog line parser


version 4.4


I wanted a very simple log parser for network based syslog input. Nothing existed that simply took a line and returned a hash ref all parsed out.

use Parse::Syslog::Line qw(parse_syslog_line);

$Parse::Syslog::Line::DateTimeCreate = 1;
$Parse::Syslog::Line::AutoDetectJSON = 1;

my $href = parse_syslog_line( $msg );
# $href = {
#       preamble        => '13',
#       priority        => 'notice',
#       priority_int    => 5,
#       facility        => 'user',
#       facility_int    => 8,
#       date            => 'YYYY-MM-DD',
#       time            => 'HH::MM:SS',
#       epoch           => 1361095933,
#       datetime_str    => ISO 8601 datetime, $NormalizeToUTC = 1 then UTC, else local
#       datetime_obj    => undef,       # If $DateTimeCreate = 1, else undef
#       datetime_raw    => 'Feb 17 11:12:13'
#       date_raw        => 'Feb 17 11:12:13'
#       host_raw        => 'hostname',  # Hostname as it appeared in the message
#       host            => 'hostname',  # Hostname without domain
#       domain          => '',  # if provided
#       program_raw     => 'sshd(blah)[pid]',
#       program_name    => 'sshd',
#       program_sub     => 'pam_unix',
#       program_pid     => 20345,
#       content         => 'the rest of the message'
#       message         => 'program[pid]: the rest of the message',
#       message_raw     => 'The message as it was passed',
#       ntp             => 'ok',           # Only set for Cisco messages
#       SDATA           => { ... },  # Decoded JSON or K/V Pairs in the message
# };


Exported by default: parse_syslog_line( $one_line_of_syslog_message );

Optional Exports: :preamble preamble_priority preamble_facility





If this variable is set to 1 (the default), parse_syslog_line() will try it's best to extract a "program" field from the input. This is the most expensive set of regex in the module, so if you don't need that pre-parsed, you can speed the module up significantly by setting this variable.

Vendors who do proprietary non-sense with their syslog formats are to blame for this setting.


$Parse::Syslog::Line::ExtractProgram = 0;


If this variable is set to 0 raw date will not be parsed further into components (datetime_str date time epoch). Default is 1 (parsing enabled).


$Parse::Syslog::Line::DateParsing = 0;


If this variable is set to 1 (the default), a DateTime object will be returned in the $m->{datetime_obj} field. Otherwise, this will be skipped.

NOTE: DateTime timezone calculation is fairly slow. Unless you really need to take timezones into account, you're better off using other modes (below).


$Parse::Syslog::Line::DateTimeCreate = 0;


If this variable is set to 1, the default, the number of seconds from UNIX epoch will be returned in the $m->{epoch} field. Setting this to false will only delete the epoch before returning the hash reference.


When set, the datetime_str will be ISO8601 UTC.


Default is false, but is enabled if you call set_syslog_timezone() or use_utc_syslog(). If enabled, this will append the timezone offset to the datetime_str.


You can pass your own formatter/parser here. Given a raw datetime string it should output a list containing date, time, epoch, datetime_str, in your wanted format.

use Parse::Syslog::Line;

local $Parse::Syslog::Line::FmtDate = sub {
    my ($raw_datestr) = @_;
    my @elements = (
    return @elements;

NOTE: No further date processing will be done, you're on your own here.


Default is %0.6f, or microsecond resolution. This variable only comes into play when the syslog date string contains a high resolution timestamp. It defaults to using microsecond resolution.


Default is false. If true, we'll autodetect the presence of JSON in the syslog message and use JSON::MaybeXS to decode it. The detection/decoding is simple. If a '{' is detected, everything until the end of the message is assumed to be JSON. The decoded JSON will be added to the SDATA field.

$Parse::Syslog::Line::AutoDetectJSON = 1;


Default is false. If true, we'll autodetect the presence of Splunk style key/value pairds in the message stream. That format is k1=v1, k2=v2. Resulting K/V pairs will be added to the SDATA field.

$Parse::Syslog::Line::AutoDetectKeyValues = 1;


This variable defaults to 0, set to 1 to delete all keys in the return hash ending in "_raw"


$Parse::Syslog::Line::PruneRaw = 1;


This variable defaults to 0, set to 1 to delete all keys in the return hash which are undefined.


$Parse::Syslog::Line::PruneEmpty = 1;


This should be an array of fields you'd like to be removed from the hash reference.


@Parse::Syslog::Line::PruneFields = qw(date_raw facility_int priority_int);



Returns a hash reference of syslog message parsed data.

NOTE: Date/time parsing is hard. This module has been optimized to balance common sense and processing speed. Care is taken to ensure that any data input into the system isn't lost, but with the varieties of vendor and admin crafted date formats, we don't always get it right. Feel free to override date processing using by setting the $FmtDate variable or completely disable it with $DateParsing set to 0.


Sets a timezone $timezone_name for parsed messages. This timezone will be used to calculate offset from UTC if a timezone designation is not present in the message being parsed. This timezone will also serve as the source timezone for the datetime_str field.


Returns the name of the timezone currently set by set_syslog_timezone.


A convenient function which sets the syslog timezone to UTC and sets the config variables accordingly. Automatically sets $NormaizeToUTC and datetime_str will be set to the UTC equivalent.


Takes the Integer portion of the syslog messsage and returns a hash reference as such:

$prioRef = {
    'preamble'  => 13
    'as_text'   => 'notice',
    'as_int'    => 5,


Takes the Integer portion of the syslog messsage and returns a hash reference as such:

$facRef = {
    'preamble'  => 13
    'as_text'   => 'user',
    'as_int'    => 8,


This module is developed with Dist::Zilla. To build from the repository, use Dist::Zilla:

dzil authordeps --missing |cpanm
dzil listdeps --missing |cpanm
dzil build
dzil test


Brad Lhotsky


This software is Copyright (c) 2017 by Brad Lhotsky.

This is free software, licensed under:

The (three-clause) BSD License




The following websites have more information about this module, and may be of help to you. As always, in addition to those websites please use your favorite search engine to discover more resources.

Source Code

This module's source code is available by visiting:

Cookies help us deliver our services. By using our services, you agree to our use of cookies Learn more