Extract IP addresses

hazno · March 24, 2009, 3:12am

The only way I could extract the user names and 'from' IP addresses is to use a few temp files. Split up by 'Failed keyboard-interactive' and 'Failed password'.

Anyone have any idea to do this all in one go?

aaa.bbb.ccc.ddd   2009-03-23 01:28:33     sshd[16272]: Failed keyboard-interactive/pam for invalid user jkljlkjlj from 111.222.333.444 port 52095 ssh2
aaa.bbb.ccc.ddd  2009-03-23 03:33:10     sshd[16648]: Failed password for invalid user oracle from 222.333.444.555 port 29093 ssh2
aaa.bbb.ccc.ddd   2009-03-23 05:23:53     sshd[17589]: Failed password for root from 333.444.555.666 port 59095 ssh2

Ideally, I am looking at the following columns:

Timestamp UserName SourceIP

From both of these 2 types of authentication log entries.

pludi · March 24, 2009, 3:23am

$ cat bla.log
aaa.bbb.ccc.ddd   2009-03-23 01:28:33     sshd[16272]: Failed keyboard-interactive/pam for invalid user jkljlkjlj from 111.222.333.444 port 52095 ssh2
aaa.bbb.ccc.ddd  2009-03-23 03:33:10     sshd[16648]: Failed password for invalid user oracle from 222.333.444.555 port 29093 ssh2
aaa.bbb.ccc.ddd   2009-03-23 05:23:53     sshd[17589]: Failed password for root from 333.444.555.666 port 59095 ssh2
$
$ perl -pe 's/.*\s(\d{4}-\d{2}-\d{2} .*?)\s.*(user|for) (.*?) from (.*?) .*/$1 $3 $4/' bla.log
2009-03-23 01:28:33 jkljlkjlj 111.222.333.444
2009-03-23 03:33:10 oracle 222.333.444.555
2009-03-23 05:23:53 root 333.444.555.666
$

hazno · March 24, 2009, 8:56pm

awesome thanks.