I am using linux and trying to format logs. I have grepped for stuff like invalid users and /or error. However, the way the logs are formatted, sometimes the full error is not on the line, ie. it is on the next line. If I grep something, like:
cat /var/spool/mail/* |grep -i session |awk '{print $5}'
The information I want is in the log on the next line. Is there a way to get the following lines anyone can think of? Thanks so much for your help in advance.
Henry
Illegal users from:
192.168.42.22 (impala.snas-net): 1 time
Unmatched Entries
pam_succeed_if(sshd:auth): error retrieving information about user henry : 1 time(s)
If I cat for illegal, I don't find out where the 'illegal' is coming from because the actual ip is on the next line. Or the next line, where I grep for unmatched but don't get the user Henry.
I'm fairly new to scripting or not very knowledgeable at this time. Thanks.
---------- Post updated at 12:57 PM ---------- Previous update was at 12:50 PM ----------
Here is another sample of the log where I want to grab the second line following the line I grepped for.
I haven't been able to figure out how to insert a variable into the search field, or I'd provide that example... Here's something that will return the line that matches your search string AND the line that follows immediately afterward.
I'm getting there and I really appreciate everyone's help. Thank you all.
I tried Av's and Dan's code and they both worked. The last thing I tried was dan's awk statement, which produced this after a bit of tweaking.
Unmatched Entries unix_chkpwd[8788]: password check failed for user (henry) Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry) Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry) Unmatched Entries unix_chkpwd[22256]: password check failed for user (henry) Unmatched Entries unix_chkpwd[8788]: password check failed for user (henry) Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry) Unmatched Entries unix_chkpwd[13474]: password check failed for user (henry) Unmatched Entries unix_chkpwd[22256]: password check failed for user (henry)
which is very good. It seems like its looking for unmatched entries, I'm sure there's an easy way of looking for other items (multiple items) such as A or B or C. In my case it would be unmatched entries or Illegal users from? Thanks again, this has been great for me, I am finally learning how to script.
---------- Post updated at 09:56 AM ---------- Previous update was at 09:55 AM ----------
I am sorry, can you please explain this further?
You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.
I don't know how to pass the log file in as an argument.
In the script example that I provided, the only files that it will check are those listed in /var/spool/mail
If you have other log directories that you would like to check, you will need to manually re-write the script, or make a change that uses a variable: