cancel
Showing results for 
Search instead for 
Did you mean: 

help me write a script

SOLVED
Go to solution
Maaz
Valued Contributor

help me write a script

# tail -20 /var/log/messages |grep "Authentication failure for root"
Sep 4 12:26:05 gateway sshd[5882]: error: PAM: Authentication failure for root from 192.168.0.6

I have to write a script that creates a loginfailure_"$(date +%m-%d-%y)" file daily(daily via cron). the script only redirects the root login failures to this file(loginfailure_"$(date +%m-%d-%y)") on the daily basis

i.e "loginfailure_09-04-08" only contains the login failures of root account of "Sep 4" only.

and "loginfailure_09-05-08" only contains the login failures of root account of "Sep 5" only.

please help.
Regards
4 REPLIES
James R. Ferguson
Acclaimed Contributor
Solution

Re: help me write a script

Hi Maaz:

This could be as simple as:

# grep "$(date '+%b %e')" /var/log/messages | grep "Authentication failure for root" > loginfailure_$(date +%m-%d-%y)

Regards!

...JRF...

Court Campbell
Honored Contributor

Re: help me write a script

you could also touch /var/log/btmp and then use lastb. Then use:

lastb root | grep "$(date '+%a %b %Oe')"

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Maaz
Valued Contributor

Re: help me write a script

James R. Ferguson nice help ;) Thanks a lot.

Dear Court Campbell, thanks for support but following doesnt works

# touch /var/log/btmp
# lastb root | grep "$(date '+%a %b %Oe')"
btmp begins Fri Sep 5 09:45:59 2008


Thanks once again.
Regards
Maaz
Court Campbell
Honored Contributor

Re: help me write a script

Well, you have to have some failed root logins first. You can create the file and expect to have a failed login that quickly. And I am not saying that means it's impossible. I bet if you run it again later you will see something. Also, getting nothing means root didn't have any failed logins.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"