topic Re: scripting help in Operating System - Linux

scripting help

lawrenzo — Wed, 13 Dec 2006 06:17:40 GMT

I am attempting to gather some information from a logfile but am struggling with displaying all the info I require, my logfile looks like this:

Dec 12 08:15:11 syslog: pts/182: failed login attempt for from

I created the below script which displays some of the info I require:

# set environment

frep=/home/sysadmcl/scripts/build/fail.rep
logrep=/home/sysadmcl/scripts/build/failed.out
fout=/home/sysadmcl/scripts/build/failed.count

for i in `awk '{print $13}' $frep |sort -u`
do

COUNT=`grep $i $frep |wc -l`

print $i $COUNT

done > $fout

while read ip num
do
if [ $num -gt 3 ] ; then

print $ip "has an unexceptable number of failed logins of" $num "attempts"

fi

done < $fout

--> ./check_sec.sc
has an unexceptable number of failed logins of 4 attempts
has an unexceptable number of failed logins of 5 attempts

This works great however can someone help me by getting the script to display each user that has failed from each ip eg:
--> ./check_sec.sc
has an unexceptable number of failed logins of 4 attempts
failed x times
faield x times

has an unexceptable number of failed logins of 5 attempts
failed x times

I am sure the solution is pretty simple but I just can get it.

Thanks guys.

Chris.

Re: scripting help

H.Merijn Brand (procura — Wed, 13 Dec 2006 06:51:39 GMT

--8<--- untested braindump
#!/usr/bin/perl

use strict;
use warnings;

my $frep = "/home/sysadmcl/scripts/build/fail.rep";
my $logrep = "/home/sysadmcl/scripts/build/failed.out";
my $fout = "/home/sysadmcl/scripts/build/failed.count";

my %fail;
{ local @ARGV = ($frep);
while (<>) {
m{failed login attempt for\s+(.*?)\s+from\s+(\S+)} or next;
$fail{$2}{$1}++;
}
}

foreach my $ip (sort keys %fail) {
my ($n, @fail) = (0);
foreach my $user (sort keys %{$fail{$ip}}) {
(my $f = $fail{$ip}{$user}) <= 2 and next;
push @fail, [ $user, $f ];
$n += $f;
}
@fail or next;
print "$ip as an unexceptable number of $n failed logins:\n";
print " ", $_->[0], " failed ", $_->[1], " times\n" for @fail;
}
-->8---

Enjoy, Have FUN! H.Merijn

Re: scripting help

Peter Godron — Wed, 13 Dec 2006 07:03:47 GMT

Chris,
insert after your
print $ip "has ..."

the line
grep $ip $frep | uniq -c | awk '{print "user "$12" failed "$1" times"}'

Relies on same assumption as your grep for COUNT.

Re: scripting help

lawrenzo — Wed, 13 Dec 2006 09:32:07 GMT

Thanks guys,

as I dont know the world of perl yet I choose not to use the sytax however thanks for the idea.

Peter, I used your solution ( or a variation of it) and works great:

# set environment

frep=/home/scripts/build/fail.rep
logrep=/home/scripts/build/failed.out
fout=/home/scripts/build/failed.count

for i in `awk '{print $13}' $frep |sort -u`
do

COUNT=`grep $i $frep |wc -l`

print $i $COUNT

done > $fout

while read ip num
do
if [ $num -gt 3 ] ; then

echo "------------------------------------------------------------------"
print "$ip an unaccceptable number of failed logins of" $num "attempts\n"
grep $ip $frep |awk '{print $11,$13}' |uniq -c |awk '{print "user " $2" failed " $1 " times"}'

fi

done < $fout

echo "------------------------------------------------------------------"

now I would like to see if I can make the script more efficient by either using arrays or awk.

any feedback would be great for my future scripts .....

cheers

output of script:

--> ./check_sec.sc
------------------------------------------------------------------
an unacceptable number of failed logins of 4 attempts

user x failed 2 times
user UNKNOWN_USER failed 1 times
user y failed 1 times
------------------------------------------------------------------
an unexceptable number of failed logins of 5 attempts

user a failed 4 times
user b failed 1 times
------------------------------------------------------------------

Re: scripting help

Hein van den Heuvel — Wed, 13 Dec 2006 09:38:24 GMT

>>> any feedback would be great for my future scripts .....

With that in mind:

>> as I dont know the world of perl yet I choose not to use the sytax however thanks for the idea.

Please reconsider.
It gets the job done, it will be fast, and Procura is the best in space.
Read for 5 minutes and see that you can mainitain/alter it as needed.

>> now I would like to see if I can make the script more efficient by either using arrays or awk.

That's what the perl code does, better than awk could.

Take this script as an excuse to pick up perl. Read this forum and other notes and keep your eyes open for other (more simple) perl scripts. You'll never look back!

Cheers,
Hein.

Re: scripting help

lawrenzo — Wed, 13 Dec 2006 09:46:20 GMT

appreciate your comments Hein but in the world of sysadm and server support it is quite difficult to progress with perl and other programming ....

especially when technologies are always advancing and theres always so much to learn.

one day maybe I will get some time to develop my scripting skills..

o(+_+)o

Chris

Re: scripting help

James R. Ferguson — Wed, 13 Dec 2006 11:08:37 GMT

Hi Chris:

I see "red flags" whenever I see a pipeline that has 'grep' followed by 'awk'. There is no need to spawn a separate process ('grep') when 'awk' can do the pattern matching, extraction and formatting.

At least, change:

# grep $ip $frep |awk '{print $11,$13}' |uniq -c|awk '{print "user " $2" failed " $1 " times"}'

...to:

# awk -v ip=${ip} '{if ($0~ip) {print $11,$13}}' ${frep}|uniq -c|awk '{print "user " $2" failed " $1 " times"}'

Regards!

...JRF...

Re: scripting help

lawrenzo — Wed, 13 Dec 2006 11:13:34 GMT

Thanks James,

Just what I was looking for ...

I will consider this going forward.

Chris.