in reply to
Wow, thank you all for the pointers! I've got a lot to learn but you've all provided some very valuable information. That is only one part of the process I have to accomplish. I'll be working on it over the weekend and will update this post with any changes and provide a solution when I do succeed.
Rest of the flow is as such:
-> Grab sessionID from auth log which is in the rough format:
20120921 10:04:02.162 LOGIN_FAIL username sessionid
-> With that sessionID, parse message log file for:
20120921 10:04:02.162 AUTHREQ referer sessionid
-> Sometimes there will be duplicate entries in message (i.e. same sessionID, different time, potentially different referer). If there are duplicates, I want to parse the time to find the one which is closest in time to the original auth event and then grab the referer from that, eventually counting the total per referer.