Question

Locked

awk script

By real_madrid_747 ·
do any have a awk script to check /var/log/auth.log
i want the script to seek for failed password for root
and the script will tell me ip adress and count and write

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Some examples

by deity_chooch In reply to awk script

You should just need to `grep` the 'auth.log' file for the lines with the failed login attempts and pipe into awk to get the IP. I'd suggest looking at the manual for it, but here's a few examples:

echo $STRING | awk '{print $1}' # Splits the $STRING variable by spaces and prints the first string

echo $STRING | awk -F';' '{print $4}' # Splits the $STRING variable by semi-colons and prints the fourth string

You can count the IPs in different ways. One would be to create a new file for every IP and then use `wc` to count the lines. Another way would be to use `sort` to make one larger file, then create a loop that looks for duplicate IPs, but the separate files way was easier to make for me.

#!/usr/bin/sh

# Searches for $STRING in the auth.log file and writes the 4th string to a file
for LINE in grep $STRING /var/log/auth.log; do
IP=`echo "$LINE" | awk '{print $4}'`
echo $IP >> $IP.tmp
done

# Finds all the temp files made and counts the lines
for FILE in `ls *.tmp`; do
wc -l $FILE
done

# Removes all files with a .tmp extension
rm -f *.tmp

Back to Software Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums