--- lib/PXElator/syslogd.pm	2009/08/16 22:23:55	230
+++ lib/PXElator/syslogd.pm	2009/08/17 00:45:41	238
@@ -7,6 +7,8 @@
 use Data::Dump qw/dump/;
 use CouchDB;
 
+use server;
+
 our $port = 514;
 our $MAXLEN = 1524;
 
@@ -23,30 +25,52 @@
 	my $buf;
 	while(1) {
 		$sock->recv($buf, $MAXLEN);
+
+		next unless $buf;
+
 		my ($port, $ipaddr) = sockaddr_in($sock->peername);
 		my $log = {
 			ip => join('.', unpack('C4',$ipaddr)),
-			hostname => gethostbyaddr($ipaddr, AF_INET),
-			message => $buf,
+			buf => $buf,
 		};
 
-		if ( $buf =~ /<(\d+)>\s*(\S*)\s*:\s*(.*)/ ) {
-			my $level = $1 % 8;
+		if ( $buf =~ s/<(\d+)>// ) {
+			$log->{pri}    = $1 % 8;
+			$log->{facility} = ( $1 - $log->{pri} ) / 8;
+		
+			$log->{timestamp} = $1 if $buf =~ s/^(\w\w\w\s+\d+\s+\d\d:\d\d:\d\d)\s*//;	# strip timestamp which some syslog servers insert here
+
+			if ( $buf =~ s/^([^:]+)\s*:\s*// ) {
+				my $tag = $1;
+				if ( $tag =~ m{^(\S+)\s(\S+)} ) {
+					$log->{tag} = $2;
+					$log->{hostname} = $1;
+				} else {
+					$log->{tag} = $tag;
+				}
+
+				if ( $log->{tag} =~ s/\[(\d+)\]$// ) {
+					$log->{pid} = $1;
+				} elsif ( $buf =~ s/^(\d+):\s*// ) {
+					$log->{pid} = $1;
+				}
+			}
+
+			if ( $log->{tag} =~ m{CRON}i && $buf =~ m{^\((\w+)\) (.+) \((.+)\)$} ) {
+				$log->{cron} = {
+					user => $1,
+					command => $2,
+					argument => $3,
+				};
+			}
 
-			my $overlay = {
-				message => $3,
-				level   => $level,
-				facility => ( $1-$level ) / 8,
-				program  => $2,
-			};
-
-			$log->{$_} = $overlay->{$_} foreach keys %$overlay;
-
-			$log->{pid} = $1 if $log->{program} =~ s/\[(\d+)\]$//;
+			$log->{message} = $buf;
 		}
 
 		warn "log ",dump( $log );
 		CouchDB::audit( 'syslog', $log );
+
+		server->refresh;
 	}
 
 }