HPE Community
Operating System - Linux
1828767 Members
2407 Online
109985 Solutions
New Discussion

Re: scripting help

 
SOLVED
Go to solution
lawrenzo
Trusted Contributor

‎12-12-2006 10:17 PM

‎12-12-2006 10:17 PM

scripting help

I am attempting to gather some information from a logfile but am struggling with displaying all the info I require, my logfile looks like this:

Dec 12 08:15:11 syslog: pts/182: failed login attempt for from

I created the below script which displays some of the info I require:

# set environment

frep=/home/sysadmcl/scripts/build/fail.rep
logrep=/home/sysadmcl/scripts/build/failed.out
fout=/home/sysadmcl/scripts/build/failed.count


for i in `awk '{print $13}' $frep |sort -u`
do

COUNT=`grep $i $frep |wc -l`

print $i $COUNT

done > $fout

while read ip num
do
if [ $num -gt 3 ] ; then


print $ip "has an unexceptable number of failed logins of" $num "attempts"

fi

done < $fout


--> ./check_sec.sc
has an unexceptable number of failed logins of 4 attempts
has an unexceptable number of failed logins of 5 attempts

This works great however can someone help me by getting the script to display each user that has failed from each ip eg:
--> ./check_sec.sc
has an unexceptable number of failed logins of 4 attempts
failed x times
faield x times

has an unexceptable number of failed logins of 5 attempts
failed x times

I am sure the solution is pretty simple but I just can get it.

Thanks guys.

Chris.
hello
0 Kudos
Reply
7 REPLIES 7
H.Merijn Brand (procura
Honored Contributor

‎12-12-2006 10:51 PM

‎12-12-2006 10:51 PM

Re: scripting help

--8<--- untested braindump
#!/usr/bin/perl

use strict;
use warnings;

my $frep = "/home/sysadmcl/scripts/build/fail.rep";
my $logrep = "/home/sysadmcl/scripts/build/failed.out";
my $fout = "/home/sysadmcl/scripts/build/failed.count";

my %fail;
{ local @ARGV = ($frep);
while (<>) {
m{failed login attempt for\s+(.*?)\s+from\s+(\S+)} or next;
$fail{$2}{$1}++;
}
}

foreach my $ip (sort keys %fail) {
my ($n, @fail) = (0);
foreach my $user (sort keys %{$fail{$ip}}) {
(my $f = $fail{$ip}{$user}) <= 2 and next;
push @fail, [ $user, $f ];
$n += $f;
}
@fail or next;
print "$ip as an unexceptable number of $n failed logins:\n";
print " ", $_->[0], " failed ", $_->[1], " times\n" for @fail;
}
-->8---

Enjoy, Have FUN! H.Merijn
Enjoy, Have FUN! H.Merijn
Reply
Peter Godron
Honored Contributor

‎12-12-2006 11:03 PM

‎12-12-2006 11:03 PM

Re: scripting help

Chris,
insert after your
print $ip "has ..."

the line
grep $ip $frep | uniq -c | awk '{print "user "$12" failed "$1" times"}'

Relies on same assumption as your grep for COUNT.


Reply
lawrenzo
Trusted Contributor

‎12-13-2006 01:32 AM

‎12-13-2006 01:32 AM

Re: scripting help

Thanks guys,

as I dont know the world of perl yet I choose not to use the sytax however thanks for the idea.

Peter, I used your solution ( or a variation of it) and works great:

# set environment

frep=/home/scripts/build/fail.rep
logrep=/home/scripts/build/failed.out
fout=/home/scripts/build/failed.count


for i in `awk '{print $13}' $frep |sort -u`
do

COUNT=`grep $i $frep |wc -l`


print $i $COUNT

done > $fout


while read ip num
do
if [ $num -gt 3 ] ; then


echo "------------------------------------------------------------------"
print "$ip an unaccceptable number of failed logins of" $num "attempts\n"
grep $ip $frep |awk '{print $11,$13}' |uniq -c |awk '{print "user " $2" failed " $1 " times"}'


fi

done < $fout

echo "------------------------------------------------------------------"

now I would like to see if I can make the script more efficient by either using arrays or awk.

any feedback would be great for my future scripts .....

cheers

output of script:

--> ./check_sec.sc
------------------------------------------------------------------
an unacceptable number of failed logins of 4 attempts

user x failed 2 times
user UNKNOWN_USER failed 1 times
user y failed 1 times
------------------------------------------------------------------
an unexceptable number of failed logins of 5 attempts

user a failed 4 times
user b failed 1 times
------------------------------------------------------------------
hello
0 Kudos
Reply
Hein van den Heuvel
Honored Contributor

‎12-13-2006 01:38 AM

‎12-13-2006 01:38 AM

Re: scripting help

>>> any feedback would be great for my future scripts .....

With that in mind:

>> as I dont know the world of perl yet I choose not to use the sytax however thanks for the idea.

Please reconsider.
It gets the job done, it will be fast, and Procura is the best in space.
Read for 5 minutes and see that you can mainitain/alter it as needed.

>> now I would like to see if I can make the script more efficient by either using arrays or awk.

That's what the perl code does, better than awk could.

Take this script as an excuse to pick up perl. Read this forum and other notes and keep your eyes open for other (more simple) perl scripts. You'll never look back!

Cheers,
Hein.
0 Kudos
Reply
lawrenzo
Trusted Contributor

‎12-13-2006 01:46 AM

‎12-13-2006 01:46 AM

Re: scripting help

appreciate your comments Hein but in the world of sysadm and server support it is quite difficult to progress with perl and other programming ....

especially when technologies are always advancing and theres always so much to learn.

one day maybe I will get some time to develop my scripting skills..

o(+_+)o

Chris
hello
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎12-13-2006 03:08 AM

‎12-13-2006 03:08 AM

Solution

Re: scripting help

Hi Chris:

I see "red flags" whenever I see a pipeline that has 'grep' followed by 'awk'. There is no need to spawn a separate process ('grep') when 'awk' can do the pattern matching, extraction and formatting.

At least, change:

# grep $ip $frep |awk '{print $11,$13}' |uniq -c|awk '{print "user " $2" failed " $1 " times"}'

...to:

# awk -v ip=${ip} '{if ($0~ip) {print $11,$13}}' ${frep}|uniq -c|awk '{print "user " $2" failed " $1 " times"}'

Regards!

...JRF...


Reply
lawrenzo
Trusted Contributor

‎12-13-2006 03:13 AM

‎12-13-2006 03:13 AM

Re: scripting help

Thanks James,

Just what I was looking for ...

I will consider this going forward.

Chris.
hello
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.