Help parsing logs maybe with menu and variables?

taekwondo · September 17, 2009, 2:25pm

I would like to parse through some logs looking for things like exception or failed (grep -i failed). Ideal would be if it were in a menu format so someone without unix ability could just choose option 1 2 or 3 etc. If I could pass the hostname to a variable also that would be awesome, so someone could input the hostname and the script would know for hostname 'name' do the following stuff, look through the logs and find exceptions? I appreciate anyone's help, I'm not very good at scripts. Thanks.

this is some info on the server pwd. Oh, since there are so many logs, it would be nice if it could do it by day, maybe pass the date to a variable or something like that so someone could search by date?

archive]$ pwd
/home/username/current_release/logs/archive
 archive]$ ls -al

dassimulator.eif.2009_245_155007.381.log   demo-sdif.ops.2009_252_190302.853.log
demo-dsdm.ops.2009_260_123941.256.log      demo-snif.ops.2009_260_135053.210.log
demo-HMD-sdif.ops.2009_260_133644.200.log  demo-sve.ops.2009_260_135208.928.log
demo-sam.ops.2009_259_231215.066.log

---------- Post updated at 02:25 PM ---------- Previous update was at 11:32 AM ----------

[/COLOR]Also, if you write a script and do this:

Output is a filename
If I want to take that filename and pass it to grep -i failure
so I can see which files had failures? How can I do that?
I tried |grep -i failure but it didn't work, also < grep -i failure didn't work.
~

peterro · September 17, 2009, 3:45pm

I would probably send all the logs to a syslog server and then use splunk to parse through them. It's a more generic solution that's already been written.

taekwondo · September 17, 2009, 3:58pm

I'm sorry, I don't think we have a syslog server. This is a small operation. I just need a menu to parse through the logs, maybe pick up the date and hostname and put them in variables to use with the menu.

taekwondo · September 21, 2009, 2:45pm

Can anyone please help? Thanks.

Corona688 · September 21, 2009, 2:56pm

I'm not sure a syslog server is actually required. have you at least looked at splunk?

taekwondo · September 22, 2009, 10:38am

OK, I now have a menu script I got here from someone else. I want to change the menu a bit though.

It looks like this:

$ cat menu.sh
#!/bin/bash
#set -vx

while :
do
clear
# Display menu
echo
echo ""
echo "Please choose from the following options; type the"
echo "option number and hit the <Enter> key."
echo
echo " 1) To list names of the log files in the current DIR"
echo " 2) Display today's date and time"
echo " 3) Display a sorted list of people currently logged on"
echo " 4) Display whether a file is a file or a DIR"
echo " 5) Create a backup for a file"
echo " 6) Find a user by First of Last name in /etc/passwd file"
echo " 7) Find the manual pages for a specific command"
echo " 8) Exit"
echo
echo ""
read option
case "$option" in
1) echo "The files in the current DIR are: "
ls -al
echo "Hit <Enter> to continue."
read ignore
;;
2) echo "The current date is: "
date
unset date
echo "Hit <Enter> to continue."
read ignore
;;

At this point, I'd like to change the menu to do this:

echo ---------------------------------
cd /var/log
# /var/log/secure section
cat /var/log/secure |grep -i 'password check failed'|awk '{print $1,$2,$3,$6,$7,
$8,$11}'|sort -u|more
cat /var/log/secure |grep -i 'password check failed'|wc -l |awk '{print $0}'
cat /var/log/secure |grep -i 'sudo'|awk '{print $1,$2,$3,$7,$8,$9,$10}'|sort -u
cat /var/log/secure |grep -i 'sudo'|wc -l |echo sudo used

cat /var/log/secure |grep -i 'su'|awk '{print $1,$2,$3,$5,$7,$8,$11}'|sort -u
cat /var/log/secure |grep -i 'authentication failure'|awk '{print $1,$2,$3,$13}'
|sort -u
cat /var/log/secure |grep -i 'rhost'|sort -u

cat /var/log/secure |grep -i 'could not identify password' |awk '{print $1,$2,$3
,$13}'|sort -u

esac
done

I want it to cat the files and grep for certain items? Do I need another read statement? What should it be? I'd like to get this done today, as my meeting is in 4 hours. Any help would be appreciated. I tried this and it didn't work:

  4\)    echo "Display problems with /var/log/secure and messages"
        \# read fdname                                                       

        \# if [ ! -e $fdname ]; then                                         

          \# echo "$fdname does not exist."                                  

        \# elif [ -d $fdname ]; then                                         

        \#  echo "$fdname is a directory."                                   

        \# elif [ -f $fdname ]; then                                         

         \#  echo "$fdname is a regular file."                               

        \# else                                                              

        \#   echo "$fdname is something else."                               

        \# fi                                                                

       \# echo "Hit &lt;Enter&gt; to continue."                                    

       \#  read ignore                                                       

        \# ;;

echo ---------------------------------
cd /var/log
# /var/log/secure section
cat /var/log/secure |grep -i 'password check failed'|awk '{print $1,$2,$3,$6,$7,
$8,$11}'|sort -u|more
cat /var/log/secure |grep -i 'password check failed'|wc -l |awk '{print $0}'
cat /var/log/secure |grep -i 'sudo'|awk '{print $1,$2,$3,$7,$8,$9,$10}'|sort -u
cat /var/log/secure |grep -i 'sudo'|wc -l |echo sudo used

cat /var/log/secure |grep -i 'su'|awk '{print $1,$2,$3,$5,$7,$8,$11}'|sort -u
cat /var/log/secure |grep -i 'authentication failure'|awk '{print $1,$2,$3,$13}'
|sort -u
cat /var/log/secure |grep -i 'rhost'|sort -u

cat /var/log/secure |grep -i 'could not identify password' |awk '{print $1,$2,$3
,$13}'|sort -u

esac
done
8) echo "Have a nice day"
sleep 1.5
break
;;
$

Thanks.