Need help with script.

taekwondo · September 2, 2009, 11:31am

Hi:

I am using linux and trying to format logs. I have grepped for stuff like invalid users and /or error. However, the way the logs are formatted, sometimes the full error is not on the line, ie. it is on the next line. If I grep something, like:
cat /var/spool/mail/* |grep -i session |awk '{print $5}'
The information I want is in the log on the next line. Is there a way to get the following lines anyone can think of? Thanks so much for your help in advance.
Henry

avronius · September 2, 2009, 11:38am

You could try

awk '/error/{_=2}_&&_--' /var/spool/mail/*

danmero · September 2, 2009, 11:49am

Can you post a sample log file.

taekwondo · September 2, 2009, 12:57pm

this is a small snippet Dan.

Illegal users from:
192.168.42.22 (impala.snas-net): 1 time

Unmatched Entries
pam_succeed_if(sshd:auth): error retrieving information about user henry : 1 time(s)

If I cat for illegal, I don't find out where the 'illegal' is coming from because the actual ip is on the next line. Or the next line, where I grep for unmatched but don't get the user Henry.

I'm fairly new to scripting or not very knowledgeable at this time. Thanks.

---------- Post updated at 12:57 PM ---------- Previous update was at 12:50 PM ----------

Here is another sample of the log where I want to grab the second line following the line I grepped for.

sshd:
Authentication Failures:
unknown (impala.snas-net): 1 Time(s)
Invalid Users:
Unknown Account: 1 Time(s)

avronius · September 2, 2009, 3:19pm

I haven't been able to figure out how to insert a variable into the search field, or I'd provide that example... Here's something that will return the line that matches your search string AND the line that follows immediately afterward.

#!/bin/sh

/usr/xpg4/bin/awk '/Illegal users/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Unmatched Entries/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Authentication Failures/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Invalid Users/{_=2}_&&_--' /var/spool/mail/*

You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.

edit ----------
that should be {_=1}

danmero · September 2, 2009, 4:22pm

Two basic example

awk '/([Illegal|Invalid] [U|u]sers)|Authentication Failure|Unmatched Entries/{printf $0;getline;print FS $0}' file

egrep -A1 "([Illegal|Invalid] [U|u]sers)|Authentication Failure|Unmatched Entries" file

taekwondo · September 3, 2009, 9:56am

I'm getting there and I really appreciate everyone's help. Thank you all.

I tried Av's and Dan's code and they both worked. The last thing I tried was dan's awk statement, which produced this after a bit of tweaking.

Unmatched Entries unix_chkpwd[8788]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[22256]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[8788]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry)
Unmatched Entries unix_chkpwd[22256]: password check failed for user (henry)

which is very good. It seems like its looking for unmatched entries, I'm sure there's an easy way of looking for other items (multiple items) such as A or B or C. In my case it would be unmatched entries or Illegal users from? Thanks again, this has been great for me, I am finally learning how to script.

---------- Post updated at 09:56 AM ---------- Previous update was at 09:55 AM ----------

I am sorry, can you please explain this further?

You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.

I don't know how to pass the log file in as an argument.

Thanks.

avronius:

I haven't been able to figure out how to insert a variable into the search field, or I'd provide that example... Here's something that will return the line that matches your search string AND the line that follows immediately afterward.
#!/bin/sh

/usr/xpg4/bin/awk '/Illegal users/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Unmatched Entries/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Authentication Failures/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Invalid Users/{_=2}_&&_--' /var/spool/mail/*
You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.

edit ----------
that should be {_=1}

avronius · September 3, 2009, 10:31am

In the script example that I provided, the only files that it will check are those listed in /var/spool/mail
If you have other log directories that you would like to check, you will need to manually re-write the script, or make a change that uses a variable:

#!/bin/sh
/usr/xpg4/bin/awk '/Illegal users/{_=2}_&&_--' $1/*

You would provide the path to check as a parameter to the script:

./script.sh /var/spool/mail

taekwondo · September 4, 2009, 9:17am

If I understand you correctly, then I would simply put this:

./logcheck3.bash /var/spool/mail

in the logcheck3.bash script?

Thanks.

---------- Post updated at 09:17 AM ---------- Previous update was at 09:14 AM ----------

If my syntax is correct, could I use a second directory as well?

./logcheck3.bash /var/spool/mail /newdir ?