RSYSLOG reports

ahmed.vaghar · September 28, 2015, 6:24pm

I want to create reports using rsyslog in linux,Can someone help me out here ? Report Format must be "Hostname" "Username" "Hostname logged from" "Date" "Time"

Regards,
Ahmed.

---------- Post updated at 05:24 PM ---------- Previous update was at 05:24 PM ----------

Linux,Shell Script

Yoda · September 29, 2015, 11:18am

I noticed that you started similar thread before, but you never answered RudiC's question.

I would suggest you to post a representative sample of rsyslog and any attempts from your side to create this report.

ahmed.vaghar · September 29, 2015, 12:11pm

Yoda,

Please find the below rsyslog dump :-

Sep 28 17:16:37 samplehostname sshd[32092]: subsystem request for sftp
Sep 28 18:21:30 samplehostname sshd[23278]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:27:31 samplehostname sshd[30298]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname sshd[21016]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:58:41 samplehostname sshd[32092]: pam_unix(sshd:session): session closed for user root
Sep 29 11:05:59 samplehostname sshd[4368]: Accepted password for oracle from 10.99.22.123 port 61494 ssh2
Sep 29 11:05:59 samplehostname sshd[4368]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Sep 29 11:09:59 samplehostname su: pam_unix(su:session): session opened for user root by oracle(uid=501)

Yoda · September 29, 2015, 12:53pm

Based on assumptions:-

awk '
        BEGIN {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /Accepted password/ {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

ahmed.vaghar · September 29, 2015, 1:29pm

Thanks a ton it is working,But the log file may vary it is not constant all the time you can see only two users logging here,But in real lot of users may log.

Can you help me in that case what i need to do ?

Aia · September 29, 2015, 2:09pm

What's your concern? Yoda's suggestion would accommodate any arbitrary amount of login sessions reported in the rsyslog file you feed it. Any user will show as many times as the password is accepted.

Corona688 · September 29, 2015, 2:34pm

Processing large volumes of text is exactly what awk is made for. Processing millions of records in a reasonably small amount of time is not difficult.

ahmed.vaghar · September 29, 2015, 5:58pm

Thank you very much all for prompt response

Can some one please help me this logic If i want to include in the code "Failed password" string,how to add that.

Sep 28 17:16:37 samplehostname sshd[32092]: subsystem request for sftp
Sep 28 18:21:30 samplehostname sshd[23278]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:27:31 samplehostname sshd[30298]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname sshd[21016]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:58:41 samplehostname sshd[32092]: pam_unix(sshd:session): session closed for user root
Sep 29 11:05:59 samplehostname sshd[4368]: Accepted password for oracle from 10.99.22.123 port 61494 ssh2
Sep 29 11:05:59 samplehostname sshd[4368]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Sep 29 11:09:59 samplehostname su: pam_unix(su:session): session opened for user root by oracle(uid=501)
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2

awk '
        BEGIN {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /Accepted password/ {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

Aia · September 29, 2015, 9:20pm

ahmed.vaghar:

[..]

Can some one please help me this logic If i want to include in the code "Failed password" string,how to add that.
awk '
   BEGIN {
   printf "%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
   }
   /Accepted password/ {
   printf "%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
   }
' OFS='\t' rsyslog_file

The easier way would be

awk '
        BEGIN {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /(Accepted|Failed) password/ {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

... But then you would not know who was successful in login in and who was not.
Perhaps another modification is necessary.

awk '
        BEGIN {
                printf "%-15s\t%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME", "STATUS"
        }
        /(Accepted|Failed) password/ {
                printf "%-15s\t%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3, $6
        }
' OFS='\t' rsyslog_file

This was modified on the fly and I did not test it.

ahmed.vaghar · September 30, 2015, 12:07pm

Thanks Aia will try from my end and let you in know soon.

Regards,

ahmed.vaghar · October 1, 2015, 5:03pm

Thanks Alia it resolved