Parsing kiwi syslog from Astaro

rmelnik · May 2, 2011, 1:17pm

Hello,

I am trying to parse this syslog pulling out and logging results to a file. The information I want is: scrip, scrport, dstip, dstport. I just want the numbers, not including the text part ie srcip=". Problem is, the column locations change, so I can't use the nice awk $1 $2 etc to idenify the wanted data. I have read enough scripting posts that my head is spinning. It seems, everyones columns stay the same, hence my issue. Here is a snippit of the log file:

2011-04-30 22:37:01    Daemon.Info    192.168.1.1    2011:04:30-22:37:07 ulogd[4777]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="0:26:18:1c:78:e0" dstmac="0:c:f1:88:90:5c" srcip="192.168.1.3" dstip="65.55.158.118" proto="17" length="89" tos="0x00" prec="0x00" ttl="127" srcport="55353" dstport="3544" 
2011-04-30 22:37:03    Daemon.Info    192.168.1.1    2011:04:30-22:37:09 ulogd[4777]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:1:5c:31:9d:1" dstmac="0:9:5b:9:48:ce" srcip="172.29.255.12" dstip="224.0.0.1" proto="2" length="32" tos="0x00" prec="0xc0" ttl="1"

Notice that some lines have, outitf and others do not. Any help will be greatly apprciated. I want to stick with learning scripting, but this is driving me crazy.

Thanks again,
Bob

vgersh99 · May 2, 2011, 1:55pm

something along these lines:
nawk -f melnik.awk mySysLong

melnik.awk:

BEGIN {
  qq=sprintf("%c", 034)
  strN=split("crip scrport dstip dstport", strA, FS)
}
{
  for(i=1; i<=strN;i++)
    if (match($0, strA)) {
       t=substr($0,RSTART+RLENGTH+2)
       match(t, "[^" qq "][^" qq "]*")
       s=substr(t,1, RSTART+RLENGTH-1)
       printf("%s : [%s]%c",  strA, s, (i==strN)?ORS:"|")
    }
}

ctsgnb · May 2, 2011, 2:04pm

awk -F"[=[:blank:]]" '{for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

removing double quote around values:

awk -F"[=[:blank:]]" '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

use nawk instead of awk if on Solaris/SunOS

rmelnik · May 2, 2011, 3:58pm

wow, thank you for this information. I had no idea about the full syntax usage of any of those commands. Talk about a head start in learning scripting. I am speechless.

thanks again,
bob

I've run into a strange situation. When I run the scripts using mobaxterm, everything is fine. However, when I run it under Ubuntu, I see no output. It is moving the cursor but zero output. When I pipe it to an output file, nothing is written to it.

bob

ctsgnb · May 4, 2011, 3:23am

I suspect your awk doesn't support multiple Field separator definition so it just put the whole line in $1 that is the reason why you only get blank lines returned.

On your Ubuntu machine, try replacing "awk" with "gawk" :

gawk -F"[=[:blank:]]" '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

ou can alternately try (with your ubuntu standard awk)

sed 's/  */=/g;s/=/ /g' yourlogfile | awk '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}'