How to fillter and view only a substring of ip table Logs with tailf and sed?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
one line of iptable log is:
Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50
and to watch it live , i used :
tailf /var/log/kern.log
but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.
I changed my command to some thing like this :
tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'
but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.
sed iptables tail
add a comment |Â
up vote
0
down vote
favorite
one line of iptable log is:
Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50
and to watch it live , i used :
tailf /var/log/kern.log
but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.
I changed my command to some thing like this :
tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'
but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.
sed iptables tail
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
one line of iptable log is:
Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50
and to watch it live , i used :
tailf /var/log/kern.log
but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.
I changed my command to some thing like this :
tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'
but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.
sed iptables tail
one line of iptable log is:
Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50
and to watch it live , i used :
tailf /var/log/kern.log
but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.
I changed my command to some thing like this :
tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'
but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.
sed iptables tail
asked Jan 5 at 10:19
comey macdonald
32
32
add a comment |Â
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
1
down vote
accepted
[...] tried to view only source and destination field of that line.
I would use grep
. Something like this:
echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
SRC=192.168.1.10 DST=192.168.1.20
In your case it would become:
tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
add a comment |Â
up vote
0
down vote
Find out the maximum column exsists from below command
awk 'print NF' /var/log/kern.log/sort -rn | head -1
and assigned that value in for loop maximum value
From given input maximum column exsists is 22 so we assigned the value in 22 in for loop
for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done
output
SRC=x.x.x.x
DST=x.x.x.x
add a comment |Â
up vote
0
down vote
What did you expect? The line doesn't contain DST:
. Use
sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'
to remove everything part the match inside the ()
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
[...] tried to view only source and destination field of that line.
I would use grep
. Something like this:
echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
SRC=192.168.1.10 DST=192.168.1.20
In your case it would become:
tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
add a comment |Â
up vote
1
down vote
accepted
[...] tried to view only source and destination field of that line.
I would use grep
. Something like this:
echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
SRC=192.168.1.10 DST=192.168.1.20
In your case it would become:
tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
[...] tried to view only source and destination field of that line.
I would use grep
. Something like this:
echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
SRC=192.168.1.10 DST=192.168.1.20
In your case it would become:
tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
[...] tried to view only source and destination field of that line.
I would use grep
. Something like this:
echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
SRC=192.168.1.10 DST=192.168.1.20
In your case it would become:
tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
answered Jan 5 at 13:14
maulinglawns
5,5082822
5,5082822
add a comment |Â
add a comment |Â
up vote
0
down vote
Find out the maximum column exsists from below command
awk 'print NF' /var/log/kern.log/sort -rn | head -1
and assigned that value in for loop maximum value
From given input maximum column exsists is 22 so we assigned the value in 22 in for loop
for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done
output
SRC=x.x.x.x
DST=x.x.x.x
add a comment |Â
up vote
0
down vote
Find out the maximum column exsists from below command
awk 'print NF' /var/log/kern.log/sort -rn | head -1
and assigned that value in for loop maximum value
From given input maximum column exsists is 22 so we assigned the value in 22 in for loop
for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done
output
SRC=x.x.x.x
DST=x.x.x.x
add a comment |Â
up vote
0
down vote
up vote
0
down vote
Find out the maximum column exsists from below command
awk 'print NF' /var/log/kern.log/sort -rn | head -1
and assigned that value in for loop maximum value
From given input maximum column exsists is 22 so we assigned the value in 22 in for loop
for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done
output
SRC=x.x.x.x
DST=x.x.x.x
Find out the maximum column exsists from below command
awk 'print NF' /var/log/kern.log/sort -rn | head -1
and assigned that value in for loop maximum value
From given input maximum column exsists is 22 so we assigned the value in 22 in for loop
for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done
output
SRC=x.x.x.x
DST=x.x.x.x
answered Jan 5 at 14:16
Praveen Kumar BS
1,010128
1,010128
add a comment |Â
add a comment |Â
up vote
0
down vote
What did you expect? The line doesn't contain DST:
. Use
sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'
to remove everything part the match inside the ()
add a comment |Â
up vote
0
down vote
What did you expect? The line doesn't contain DST:
. Use
sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'
to remove everything part the match inside the ()
add a comment |Â
up vote
0
down vote
up vote
0
down vote
What did you expect? The line doesn't contain DST:
. Use
sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'
to remove everything part the match inside the ()
What did you expect? The line doesn't contain DST:
. Use
sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'
to remove everything part the match inside the ()
answered Jan 5 at 15:57
Philippos
5,90211545
5,90211545
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414956%2fhow-to-fillter-and-view-only-a-substring-of-ip-table-logs-with-tailf-and-sed%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password