It is often extremely useful as a Systems / Network admin to be able to edit, display and count fields from text streams. Luckily, Linux distributions like CentOS and Ubuntu come configured with tools for editing and searching streams of text. In this tutorial, we will learn the basics of the following tools:
root@ubuntu-server:/var/log# man cat
NAME
cat - concatenate files and print on the standard output
SYNOPSIS
cat [OPTION]... [FILE]...
DESCRIPTION
Concatenate FILE(s), or standard input, to standard output.
...
root@ubuntu-server:~# cd /var/log
root@ubuntu-server:/var/log# cat auth.log
In this very simple example we will take a look at our 'auth.log'. To do so we will use the 'cat' tool.
root@ubuntu-server:/var/log# cat auth.log
Jan 5 15:48:51 ubuntu-server sshd[818]: Server listening on 0.0.0.0 port 22.
Jan 5 15:48:51 ubuntu-server sshd[818]: Server listening on :: port 22.
Jan 5 15:48:59 ubuntu-server login[899]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
Jan 5 15:53:14 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/sbin/dpkg-reconfigure -plow unattended-upgrades
Jan 5 15:53:14 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan 5 15:53:57 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan 5 16:17:01 ubuntu-server CRON[1249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 5 16:17:01 ubuntu-server CRON[1249]: pam_unix(cron:session): session closed for user root
Jan 5 16:18:08 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su -
Jan 5 16:18:08 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
...
root@ubuntu-server:~# cd /var/log
root@ubuntu-server:/var/log# cat auth.log | less
In this example, we're doing something rather silly (silly because we don't strictly need 'cat') to illustrate a point. In the first example, we used 'cat' to look at the 'auth.log' file. You may have noticed that this hard to navigate and impossible to search. The solution to this problem is often to pipe to a pager. A pager is a tool used to view (but not change) the contents of a text file one screen at a time. 1
Jan 6 09:25:07 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/bin/vim /etc/network/interfaces
Jan 6 09:25:07 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan 6 09:25:19 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan 6 09:25:42 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/sbin/service networking restart
Jan 6 09:25:42 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan 6 09:25:42 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan 6 09:25:58 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/etc/init.d/networking restart
Jan 6 09:25:58 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan 6 09:25:58 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan 6 09:26:01 ubuntu-server sudo: bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/sbin/reboot
Jan 6 09:26:01 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan 6 09:26:01 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan 6 09:27:57 ubuntu-server sshd[880]: Server listening on 0.0.0.0 port 22.
Jan 6 09:27:57 ubuntu-server sshd[880]: Server listening on :: port 22.
Jan 6 09:28:05 ubuntu-server login[997]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
Jan 6 09:33:44 ubuntu-server sshd[1123]: Invalid user rotsted from 192.168.56.1
Jan 6 09:33:44 ubuntu-server sshd[1123]: input_userauth_request: invalid user rotsted [preauth]
:/fail
/<search string>
in the pager's command prompt:q
root@ubuntu-server:/var/log# man grep
NAME
grep, egrep, fgrep, rgrep - print lines matching a pattern
SYNOPSIS
grep [OPTIONS] PATTERN [FILE...]
grep [OPTIONS] [-e PATTERN | -f FILE] [FILE...]
DESCRIPTION
grep searches the named input FILEs (or standard input if no files are named, or if a single hyphen-minus (-) is given as file name) for lines containing a match to the
given PATTERN. By default, grep prints the matching lines.
In addition, three variant programs egrep, fgrep and rgrep are available. egrep is the same as grep -E. fgrep is the same as grep -F. rgrep is the same as grep -r.
Direct invocation as either egrep or fgrep is deprecated, but is provided to allow historical applications that rely on them to run unmodified.
...
root@ubuntu-server:/var/log# grep -i "fail" auth.log
In this example, we will search for failed authentication messages. We will use the following options:
-F, --fixed-strings
Interpret PATTERN as a list of fixed strings, separated by newlines, any of which is to be matched.
-i, --ignore-case
Ignore case distinctions in both the PATTERN and the input files.
root@ubuntu-server:/var/log# grep -i "fail" auth.log
Jan 6 09:24:14 ubuntu-server login[942]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root
Jan 6 09:24:17 ubuntu-server login[942]: FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure
Jan 6 09:24:22 ubuntu-server login[942]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Jan 6 09:24:25 ubuntu-server login[942]: FAILED LOGIN (2) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Jan 6 09:25:02 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/tty1 ruser=bob rhost= user=bob
Jan 6 17:27:35 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost= user=bob
Jan 7 13:36:09 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost= user=bob
Jan 7 13:36:13 ubuntu-server sudo: pam_unix(sudo:auth): conversation failed
Jan 7 17:31:17 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost= user=bob
Jan 7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2
root@ubuntu-server:/var/log# grep -i "Failed password" auth.log | awk '{ print $11 }'
1. Find the 'sshd' logs that indicate a 'failed' login.
In the previous example, we used 'grep' to find all log messages with the term "fail" in them. Lets try that again, this time, lets only match messages that contain the string 'sshd'. One way to accomplish this is to pipe one 'grep' into another:
root@ubuntu-server:/var/log# grep -iF "sshd" auth.log | grep -iF "fail"
Jan 7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2
Jan 7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2
Jan 7 17:31:36 ubuntu-server sshd[4473]: Failed password for root from 192.168.56.1 port 59383 ssh2
Jan 7 17:31:37 ubuntu-server sshd[4473]: Failed password for root from 192.168.56.1 port 59383 ssh2
Jan 7 22:38:04 ubuntu-server sshd[5073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1 user=root
Jan 7 22:38:06 ubuntu-server sshd[5073]: Failed password for root from 192.168.56.1 port 53875 ssh2
Jan 21 15:33:17 ubuntu-server sshd[2595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
Jan 21 15:33:19 ubuntu-server sshd[2595]: Failed password for root from ::1 port 58866 ssh2
Jan 21 15:33:26 ubuntu-server sshd[2595]: message repeated 2 times: [ Failed password for root from ::1 port 58866 ssh2]
Jan 21 15:33:26 ubuntu-server sshd[2595]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
2. Now that we know the format of these messages, find the field number for the source IP
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Jan 7 22:38:06 ubuntu-server sshd[5073]: Failed password for root from 192.168.56.1 port 53875 ssh2
3. Craft an 'awk' command that will extract the 11th field.
awk '<pattern> { <action> } <file>'
awk '{print $11}'
awk '/sshd.*Fail/ { print }' auth.log
4. Execute the command!
root@ubuntu-server:/var/log# grep -i "Failed password" auth.log | awk '{ print $11 }'
192.168.56.1
192.168.56.1
192.168.56.1
192.168.56.1
192.168.56.1
::1
http://en.wikipedia.org/wiki/Less_(Unix)↩