Extracting relevant information from syslogs.

lewk · September 12, 2012, 6:18am

I need to analyse some syslogs and I want to print out all the lines containing SSH connections to the inside interface of the firewall and ignore lines where the originating port is 22. So basically I want to print all matches after "to inside:" that contains /22 and ignore lines where /22 occur before "to inside:"

Before:

Teardown TCP connection 1595221765 for outside:10.35.22.20/22 to inside:10.33.249.82/1373 duration 0:25:10 bytes 119889 TCP FINs
Teardown TCP connection 1596165459 for outside:10.94.27.204/22 to inside:10.35.249.82/1558 duration 0:25:09 bytes 316401 TCP FINs
Teardown TCP connection 1597641639 for outside:123.32.168.219/10365 to inside:10.88.38.232/22 duration 0:00:30 bytes 0 SYN Timeout
Teardown TCP connection 1598227499 for outside:10.40.223.47/22 to inside:10.77.68.82/1804 duration 1:08:48 bytes 42429 TCP FINs
Teardown TCP connection 1597660611 for outside:10.93.226.150/22 to inside:10.43.249.82/1761 duration 1:31:26 bytes 25733 TCP FINs
Teardown TCP connection 1605038930 for outside:103.33.241.216/12995 to inside:10.5.36.232/22 duration 0:00:30 bytes 0 SYN Timeout

After:

Teardown TCP connection 1597641639 for outside:123.32.168.219/10365 to inside:10.88.38.232/22 duration 0:00:30 bytes 0 SYN Timeout
Teardown TCP connection 1605038930 for outside:103.33.241.216/12995 to inside:10.5.36.232/22 duration 0:00:30 bytes 0 SYN Timeout

Ygor · September 12, 2012, 6:23am

Try...

egrep 'inside:[0-9\.]+/22' file

lewk · September 12, 2012, 7:04am

This is great thanks and it is getting me close to what I am looking for. However how can i limit it to striclty /22 as per the following example;

cat file.txt |grep -e "/22\>"

---------- Post updated at 01:04 PM ---------- Previous update was at 12:31 PM ----------

I found a solution, I added \s to include the white space after 22 and now it is working perfectly, thanks

egrep 'inside:[0-9\.]+/22\s' file