<?php
$data = "
Dec  25 10:02:10  192.168.0.213  syslog-ng[22683]:  syslog-ng  starting  up;  version='2.0.6'
Dec  25  10:02:23  192.168.0.213  CRON[22595]:  pam_unix(cron:session):  session  closed  for  user  www-data 
Dec  25  10:02:51  192.168.0.213  shutdown[22761]:  shutting  down  for  system  reboot 
Dec  25  10:02:54  192.168.0.213  init:  Switching  to  runlevel:  6 
Dec  25  10:03:02  192.168.0.213  kernel:  CPU0:  Temperature/speed  normal 
Dec  25  10:03:10  192.168.0.213  watchdog[2962]:  stopping  daemon  (5.4) 
Dec  25  10:03:10  192.168.0.213  wd_keepalive[22852]:  starting  watchdog  keepalive  daemon  (5.4):  int=10  alive=(null)  realtime=yes 
Dec  25  10:03:10  192.168.0.213  wd_keepalive[22852]:  stopping  watchdog  keepalive  daemon  (5.4) 
Dec  25  10:03:23  192.168.0.213  rpc.statd[2040]:  Caught  signal  15,  un-registering  and  exiting. 
Dec  25  10:03:24  192.168.0.213  ntop[2683]:    CLEANUP[t3054491312]:  ntop  caught  signal  15 
Dec  25  10:03:24  192.168.0.213  ntop[2683]:    THREADMGMT[t3054491312]:  ntop  RUNSTATE:  SHUTDOWN(7)
"; 
preg_match_all('/([\w]{3}[\s]+[\d]{1,2}[\s]+[\d:]{5,8})[\s]+([0-9\.]{7,15})[\s]+([\w\-\.]+?)(?(?=\[[\d]+\])\[([\d]+)\]):(.+)/i',$data,$a);
print_r($a);
# 讲解
#'/([\w]{3}[\s]+[\d]{1,2}[\s]+[\d:]{5,8})[\s]+([0-9\.]{7,15})[\s]+([\w\-\.]+?)(?(?=\[[\d]+\])\[([\d]+)\]):(.+)/i'
# 时间匹配开始
# [\w]{3}     1,匹配三位任一“字”的字符
# [\s]+       2,匹配多位空白符
# [\d]{1,2}     3,匹配由一到两位的数字
# [\s]+        4,匹配多位空白符
# [\d:]{5,8}    5,匹配五到八位由十进制数字和冒号组成的字符串 ;
# 时间匹配结束
# [\s]+       1,匹配多位空白符
# Ip匹配开始
# [\d\.]{7,15}  1,匹配七到十五位由十进制数字和点号组成的字符串 ;
# Ip匹配结束
# [\s]+       1,匹配多位空白符
# 程序匹配开始
# ([\w\-\.]+?)  1,匹配任一'字',点号和'-'号.
# 程序匹配结束
# 端口匹配开始
# (?(?=\[[\d]+\])\[([\d]+)\]) 1,条件匹配 如有匹配 [一位或多位十进制数字] 的字符串 则取出数字，即执行后面的 \[([\d]+)\] 匹配.
# 端口匹配结束
# : 1,匹配冒号
# 描述匹配开始
# (.+)     1,匹配除了换行符外的任意一个字符（默认情况下）
# 描述匹配结束
# /i        1,i 模式修正符 “如果设定此修正符，模式中的字符将同时匹配大小写字母” 即 不区分大小写
?>