Saturday, August 8, 2009

Fun with grep

I got a copy of the Grep Pocket Reference back in early July via PDF format (from O'Reilly's Safari Bookshelf). I read through it but didn't really learn that much.

Last week the hard copy version arrived (2 weeks after I ordered it from Amazon). I've been reading it the last week. The parts I'm going through right now talks about Regular Expressions (regex). I've read about regex more times than I can count, in classes, in shell scripting books, on the web. This time it made sense.

My firewall log parsing for ip addresses has really improved. For example. I'd usually do "grep '< my ip address >' /external/logs/firewall1". The problem my address at work is .18, but it would pull .181 - .189 also. The first thing I did was back slash the . (dots) in the ip address. It cleaned up some stuff from the logs but not much. It's nicer to know that's not looking for any character and only matching what I want it too.

Which was a problem I was having when I wrote failed a few years ago.

Yesterday I read about word boundaries. I tested it this morning with my work IP address, and no longer am I getting the .181 - .189 addresses. Which is fun. It'll make looking for some things easier in the logs at work.


Just for fun, here is what the finished version of Failed looked like (modified slightly):

#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2
# < my email address removed >

# prints failed invalid users
echo "Failed Invalid User Attempts"
sudo grep "Failed" /var/log/auth.log | grep -i 'invalid' | grep -v '< work login id removed >' | awk '{print $1,$2,$3,$13,$11}' | sort -u

echo ' '
#prints failed vailid users, except for me.
echo "Failed Valid User Attempts"
sudo grep "Failed" /var/log/auth.log | grep -vi 'invalid' | grep -v '< work login id removed >' | grep -v '< home login id removed >' | awk '{print $1,$2,$3,$11,$9}' | sort -u
echo ' '


I sudo the 2 lines, because I need to be root to access that log file. I didn't want to setuid the script to run, nor did I want to be root when I ran it. It also requires me to type my password to run it, since sudo only remembers my password for 5 minutes.

To make this work on Redhat based systems, change auth.log to secure.log

No comments: