Question

Locked

awk script

By real_madrid_747 ·
do any have a awk script to check /var/log/auth.log
i want the script to seek for failed password for root
and the script will tell me ip adress and count and write

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Some examples

by deity_chooch In reply to awk script

You should just need to `grep` the 'auth.log' file for the lines with the failed login attempts and pipe into awk to get the IP. I'd suggest looking at the manual for it, but here's a few examples:

echo $STRING | awk '{print $1}' # Splits the $STRING variable by spaces and prints the first string

echo $STRING | awk -F';' '{print $4}' # Splits the $STRING variable by semi-colons and prints the fourth string

You can count the IPs in different ways. One would be to create a new file for every IP and then use `wc` to count the lines. Another way would be to use `sort` to make one larger file, then create a loop that looks for duplicate IPs, but the separate files way was easier to make for me.

#!/usr/bin/sh

# Searches for $STRING in the auth.log file and writes the 4th string to a file
for LINE in grep $STRING /var/log/auth.log; do
IP=`echo "$LINE" | awk '{print $4}'`
echo $IP >> $IP.tmp
done

# Finds all the temp files made and counts the lines
for FILE in `ls *.tmp`; do
wc -l $FILE
done

# Removes all files with a .tmp extension
rm -f *.tmp

Related Discussions

Related Forums