1 Analyzing SYSLOG

1.1 Editing, Analyzing Streams of Text

It is often extremely useful as a Systems / Network admin to be able to edit, display and count fields from text streams. Luckily, Linux distributions like CentOS and Ubuntu come configured with tools for editing and searching streams of text. In this tutorial, we will learn the basics of the following tools:

1.1.1 CAT

root@ubuntu-server:/var/log# man cat
NAME
       cat - concatenate files and print on the standard output

SYNOPSIS
       cat [OPTION]... [FILE]...

DESCRIPTION
       Concatenate FILE(s), or standard input, to standard output.
...

1.1.2 Example: Show authentication attempts from 'auth.log'

root@ubuntu-server:~# cd /var/log
root@ubuntu-server:/var/log# cat auth.log

In this very simple example we will take a look at our 'auth.log'. To do so we will use the 'cat' tool.

root@ubuntu-server:/var/log# cat auth.log
Jan  5 15:48:51 ubuntu-server sshd[818]: Server listening on 0.0.0.0 port 22.
Jan  5 15:48:51 ubuntu-server sshd[818]: Server listening on :: port 22.
Jan  5 15:48:59 ubuntu-server login[899]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
Jan  5 15:53:14 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/sbin/dpkg-reconfigure -plow unattended-upgrades
Jan  5 15:53:14 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan  5 15:53:57 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan  5 16:17:01 ubuntu-server CRON[1249]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan  5 16:17:01 ubuntu-server CRON[1249]: pam_unix(cron:session): session closed for user root
Jan  5 16:18:08 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/bin/su -
Jan  5 16:18:08 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
...

1.1.3 Example: Using pipes and pagers

root@ubuntu-server:~# cd /var/log
root@ubuntu-server:/var/log# cat auth.log | less

In this example, we're doing something rather silly (silly because we don't strictly need 'cat') to illustrate a point. In the first example, we used 'cat' to look at the 'auth.log' file. You may have noticed that this hard to navigate and impossible to search. The solution to this problem is often to pipe to a pager. A pager is a tool used to view (but not change) the contents of a text file one screen at a time. 1

Jan  6 09:25:07 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/bin/vim /etc/network/interfaces
Jan  6 09:25:07 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan  6 09:25:19 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan  6 09:25:42 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/usr/sbin/service networking restart
Jan  6 09:25:42 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan  6 09:25:42 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan  6 09:25:58 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/etc/init.d/networking restart
Jan  6 09:25:58 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan  6 09:25:58 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan  6 09:26:01 ubuntu-server sudo:      bob : TTY=tty1 ; PWD=/home/bob ; USER=root ; COMMAND=/sbin/reboot
Jan  6 09:26:01 ubuntu-server sudo: pam_unix(sudo:session): session opened for user root by bob(uid=0)
Jan  6 09:26:01 ubuntu-server sudo: pam_unix(sudo:session): session closed for user root
Jan  6 09:27:57 ubuntu-server sshd[880]: Server listening on 0.0.0.0 port 22.
Jan  6 09:27:57 ubuntu-server sshd[880]: Server listening on :: port 22.
Jan  6 09:28:05 ubuntu-server login[997]: pam_unix(login:session): session opened for user bob by LOGIN(uid=0)
Jan  6 09:33:44 ubuntu-server sshd[1123]: Invalid user rotsted from 192.168.56.1
Jan  6 09:33:44 ubuntu-server sshd[1123]: input_userauth_request: invalid user rotsted [preauth]
:/fail

1.1.4 GREP

root@ubuntu-server:/var/log# man grep
NAME
       grep, egrep, fgrep, rgrep - print lines matching a pattern

SYNOPSIS
       grep [OPTIONS] PATTERN [FILE...]
       grep [OPTIONS] [-e PATTERN | -f FILE] [FILE...]

DESCRIPTION
       grep  searches the named input FILEs (or standard input if no files are named, or if a single hyphen-minus (-) is given as file name) for lines containing a match to the
       given PATTERN.  By default, grep prints the matching lines.

       In addition, three variant programs egrep, fgrep and rgrep are available.  egrep is the same as grep -E.  fgrep is the same as grep -F.  rgrep is the  same  as  grep -r.
       Direct invocation as either egrep or fgrep is deprecated, but is provided to allow historical applications that rely on them to run unmodified.
...

1.1.4.1 Example: 'grep' with a file as input, find failed logins

root@ubuntu-server:/var/log# grep -i "fail" auth.log 

In this example, we will search for failed authentication messages. We will use the following options:

-F, --fixed-strings
    Interpret PATTERN as a list of fixed strings, separated by newlines, any of which is to be matched.
-i, --ignore-case
    Ignore case distinctions in both the PATTERN and the input files.
root@ubuntu-server:/var/log# grep -i "fail" auth.log
Jan  6 09:24:14 ubuntu-server login[942]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
Jan  6 09:24:17 ubuntu-server login[942]: FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure
Jan  6 09:24:22 ubuntu-server login[942]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= 
Jan  6 09:24:25 ubuntu-server login[942]: FAILED LOGIN (2) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure
Jan  6 09:25:02 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/tty1 ruser=bob rhost=  user=bob
Jan  6 17:27:35 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost=  user=bob
Jan  7 13:36:09 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost=  user=bob
Jan  7 13:36:13 ubuntu-server sudo: pam_unix(sudo:auth): conversation failed
Jan  7 17:31:17 ubuntu-server sudo: pam_unix(sudo:auth): authentication failure; logname=bob uid=1000 euid=0 tty=/dev/pts/0 ruser=bob rhost=  user=bob
Jan  7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2

1.1.4.2 Example: Extract IP for failed logins using awk

root@ubuntu-server:/var/log# grep -i "Failed password" auth.log | awk '{ print $11 }'

1. Find the 'sshd' logs that indicate a 'failed' login.

In the previous example, we used 'grep' to find all log messages with the term "fail" in them. Lets try that again, this time, lets only match messages that contain the string 'sshd'. One way to accomplish this is to pipe one 'grep' into another:

root@ubuntu-server:/var/log# grep -iF "sshd" auth.log | grep -iF "fail"
Jan  7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2
Jan  7 17:31:22 ubuntu-server sshd[4465]: Failed password for root from 192.168.56.1 port 59379 ssh2
Jan  7 17:31:36 ubuntu-server sshd[4473]: Failed password for root from 192.168.56.1 port 59383 ssh2
Jan  7 17:31:37 ubuntu-server sshd[4473]: Failed password for root from 192.168.56.1 port 59383 ssh2
Jan  7 22:38:04 ubuntu-server sshd[5073]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1  user=root
Jan  7 22:38:06 ubuntu-server sshd[5073]: Failed password for root from 192.168.56.1 port 53875 ssh2
Jan 21 15:33:17 ubuntu-server sshd[2595]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=root
Jan 21 15:33:19 ubuntu-server sshd[2595]: Failed password for root from ::1 port 58866 ssh2
Jan 21 15:33:26 ubuntu-server sshd[2595]: message repeated 2 times: [ Failed password for root from ::1 port 58866 ssh2]
Jan 21 15:33:26 ubuntu-server sshd[2595]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=root

2. Now that we know the format of these messages, find the field number for the source IP

1    2 3        4             5           6      7        8   9    10   11           12   13    14  
Jan  7 22:38:06 ubuntu-server sshd[5073]: Failed password for root from 192.168.56.1 port 53875 ssh2

3. Craft an 'awk' command that will extract the 11th field.

4. Execute the command!

root@ubuntu-server:/var/log# grep -i "Failed password" auth.log | awk '{ print $11 }'
192.168.56.1
192.168.56.1
192.168.56.1
192.168.56.1
192.168.56.1
::1

  1. http://en.wikipedia.org/wiki/Less_(Unix)