Cascalog print auditd log fields

print_fields.clj

(ns aud_cas.print_fields
  (:use cascalog.api)
  (:require [clojure.string :as str])
  )

(defn parse_input_record
  "Parse the text of the input record into fields in a map"
  [input_record]
  (let [prefix_string (get (str/split input_record #"\: ") 0)
        prefix_pairs (str/split prefix_string #" ")
        prefix_pair_vecs (map #(str/split % #"=") prefix_pairs )
        prefix_map (into {} prefix_pair_vecs)
        ]
    prefix_map))

(defmapop dmo-parse-log-record-to-tuple
  "Parse the text of the audit record into fields in a tuple / vector"
  [input_record]
  (let [prefix_map (parse_input_record input_record)
        {:strs [type node msg]} prefix_map
        ]
    [type node msg]))

(defn query-log-lines
  "Return a query for the log lines"
  [log-path]
  (let [text-tap (lfs-textline log-path)
        query-line  (<- [?line] (text-tap :> ?line))
        ]
    query-line))

(defn query-log-tuples
  "Return a query for the log tuples"
  [log-path]
  (let [q-log-lines  (query-log-lines log-path)
        q-log-tuples (<- [?type ?node ?msg] (q-log-lines :> ?line)
                         (dmo-parse-log-record-to-tuple ?line :> ?type ?node ?msg))
        ]
    q-log-tuples))

(defn print-fields
  "Use cascalog to print the prefix fields of an auditd log"
  [log-path]
  (let [q-tuples  (query-log-tuples log-path)]
    (?<- (stdout) [?type ?node ?msg] (q-tuples :> ?type ?node ?msg ))))

(defn -main
  "Entry point"
  [log-path]
  (println "Printing fields in file" log-path)
  (print-fields log-path)
  )