How to retrieve counts of IP addresses from log file?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
1
I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.
How do I extend
sed -nr '/Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
to also check for accepted passwords? Something like
sed -nr '/Accepted|Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:
123.53.163.22 3 2
(The columns are: IP address, total Failed, total Accepted)
This is related to How to retrieve IP addresses of possible ssh attackers?
shell-script shell sed logs ip
edited Dec 5 at 16:50
JigglyNaga
3,593829
asked Dec 3 at 9:54
Horbaje
163
add a comment |
up vote
2
down vote
favorite
1
I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.
How do I extend
sed -nr '/Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
to also check for accepted passwords? Something like
sed -nr '/Accepted|Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:
123.53.163.22 3 2
(The columns are: IP address, total Failed, total Accepted)
This is related to How to retrieve IP addresses of possible ssh attackers?
shell-script shell sed logs ip
edited Dec 5 at 16:50
JigglyNaga
3,593829
asked Dec 3 at 9:54
Horbaje
163
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40
add a comment |
up vote
2
down vote
favorite
1
up vote
2
down vote
favorite
1
1
I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.
How do I extend
sed -nr '/Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
to also check for accepted passwords? Something like
sed -nr '/Accepted|Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:
123.53.163.22 3 2
(The columns are: IP address, total Failed, total Accepted)
This is related to How to retrieve IP addresses of possible ssh attackers?
shell-script shell sed logs ip
edited Dec 5 at 16:50
JigglyNaga
3,593829
asked Dec 3 at 9:54
Horbaje
163
I am checking a log file to retrieve ip adresses plus how many times a log failed. This is what my log file looks like:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
Now, I want to also check for how many times the log was accepted. The idea is to get an overview over brute forcing attacks.
How do I extend
sed -nr '/Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
to also check for accepted passwords? Something like
sed -nr '/Accepted|Failed/s/.*([0-9]+.[0-9]+.[0-9]+.[0-9]+).*/1/;p'| sort | uniq -c
But instead of having an "or" between Accepted and Failed I would like to get a count result that would look like this:
123.53.163.22 3 2
(The columns are: IP address, total Failed, total Accepted)
This is related to How to retrieve IP addresses of possible ssh attackers?
shell-script shell sed logs ip
shell-script shell sed logs ip
edited Dec 5 at 16:50
JigglyNaga
3,593829
asked Dec 3 at 9:54
Horbaje
163
edited Dec 5 at 16:50
JigglyNaga
3,593829
asked Dec 3 at 9:54
Horbaje
163
edited Dec 5 at 16:50
JigglyNaga
3,593829
edited Dec 5 at 16:50
JigglyNaga
3,593829
edited Dec 5 at 16:50
JigglyNaga
3,593829
3,593829
asked Dec 3 at 9:54
Horbaje
163
asked Dec 3 at 9:54
Horbaje
163
asked Dec 3 at 9:54
Horbaje
163
163
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40
add a comment |
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Given the scant sample ....
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
This, I think, does what you want:
awk '$6~/Failed/a[$11][1]++; $6~/Accepted/a[$11][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]' horbaje
143.100.67.173 5 1
answered Dec 5 at 17:01
tink
4,08411218
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje
– tink
Dec 8 at 18:29
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Given the scant sample ....
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
This, I think, does what you want:
awk '$6~/Failed/a[$11][1]++; $6~/Accepted/a[$11][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]' horbaje
143.100.67.173 5 1
answered Dec 5 at 17:01
tink
4,08411218
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje
– tink
Dec 8 at 18:29
add a comment |
up vote
1
down vote
accepted
Given the scant sample ....
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
This, I think, does what you want:
awk '$6~/Failed/a[$11][1]++; $6~/Accepted/a[$11][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]' horbaje
143.100.67.173 5 1
answered Dec 5 at 17:01
tink
4,08411218
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje
– tink
Dec 8 at 18:29
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Given the scant sample ....
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
This, I think, does what you want:
awk '$6~/Failed/a[$11][1]++; $6~/Accepted/a[$11][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]' horbaje
143.100.67.173 5 1
answered Dec 5 at 17:01
tink
4,08411218
Given the scant sample ....
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173
This, I think, does what you want:
awk '$6~/Failed/a[$11][1]++; $6~/Accepted/a[$11][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]' horbaje
143.100.67.173 5 1
answered Dec 5 at 17:01
tink
4,08411218
edited Dec 5 at 20:16
answered Dec 5 at 17:01
tink
4,08411218
answered Dec 5 at 17:01
tink
4,08411218
answered Dec 5 at 17:01
tink
4,08411218
4,08411218
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje
– tink
Dec 8 at 18:29
add a comment |
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje
– tink
Dec 8 at 18:29
1
1
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Thank you tink, that was very helpful in solving my problem!
– Horbaje
Dec 5 at 19:58
Pleased to hear =}
– tink
Dec 5 at 20:13
Pleased to hear =}
– tink
Dec 5 at 20:13
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
Follow up question.If I want to find the ip adress not by position how would I replace a[$11][1] with something like reg ex: a(d1,3.d1,3.d1,3.d1,3) ?
– Horbaje
Dec 8 at 13:07
I'd do something like this:
awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje– tink
Dec 8 at 18:29
I'd do something like this:
awk 'ip=gensub(/.* from ([0-9]1,3.[0-9]1,3.[0-9]1,3.[0-9]1,3).*/,"\1","1",$0);print ip $6~/Failed/a[ip][1]++; $6~/Accepted/a[ip][2]++ ENDfor(i in a)printf "%st%st%sn",i,a[i][1],a[i][2]ip=""' horbaje– tink
Dec 8 at 18:29
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f485650%2fhow-to-retrieve-counts-of-ip-addresses-from-log-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
From the command that you have, we can guess what your input might look like. We don't like to guess. Show a representative example of what your input looks like and what output you want to get.
– G-Man
Dec 3 at 16:40