How to fillter and view only a substring of ip table Logs with tailf and sed?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












one line of iptable log is:



Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50 


and to watch it live , i used :



tailf /var/log/kern.log


but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.



I changed my command to some thing like this :



tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'


but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.







share|improve this question
























    up vote
    0
    down vote

    favorite












    one line of iptable log is:



    Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50 


    and to watch it live , i used :



    tailf /var/log/kern.log


    but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.



    I changed my command to some thing like this :



    tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'


    but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.







    share|improve this question






















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      one line of iptable log is:



      Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50 


      and to watch it live , i used :



      tailf /var/log/kern.log


      but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.



      I changed my command to some thing like this :



      tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'


      but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.







      share|improve this question












      one line of iptable log is:



      Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=x.x.x.x DST=x.x.x.x LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50 


      and to watch it live , i used :



      tailf /var/log/kern.log


      but as you can see, it contains a lot of information in it. so i tried to view only source and destination field of that line.



      I changed my command to some thing like this :



      tailf /var/log/kern.log | sed -n -e 's/^.*DST: //p'


      but still nothing, Is there any way i can change it to show me only source and destination IP addresses? or should i go to more complicated solution than a command.









      share|improve this question











      share|improve this question




      share|improve this question










      asked Jan 5 at 10:19









      comey macdonald

      32




      32




















          3 Answers
          3






          active

          oldest

          votes

















          up vote
          1
          down vote



          accepted











          [...] tried to view only source and destination field of that line.




          I would use grep. Something like this:



          echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
          SRC=192.168.1.10 DST=192.168.1.20


          In your case it would become:



          tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'





          share|improve this answer



























            up vote
            0
            down vote













            Find out the maximum column exsists from below command



            awk 'print NF' /var/log/kern.log/sort -rn | head -1 and assigned that value in for loop maximum value



            From given input maximum column exsists is 22 so we assigned the value in 22 in for loop



            for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done

            output
            SRC=x.x.x.x
            DST=x.x.x.x





            share|improve this answer



























              up vote
              0
              down vote













              What did you expect? The line doesn't contain DST:. Use



              sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'


              to remove everything part the match inside the ()






              share|improve this answer




















                Your Answer







                StackExchange.ready(function()
                var channelOptions =
                tags: "".split(" "),
                id: "106"
                ;
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function()
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled)
                StackExchange.using("snippets", function()
                createEditor();
                );

                else
                createEditor();

                );

                function createEditor()
                StackExchange.prepareEditor(
                heartbeatType: 'answer',
                convertImagesToLinks: false,
                noModals: false,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: null,
                bindNavPrevention: true,
                postfix: "",
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                );



                );








                 

                draft saved


                draft discarded


















                StackExchange.ready(
                function ()
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414956%2fhow-to-fillter-and-view-only-a-substring-of-ip-table-logs-with-tailf-and-sed%23new-answer', 'question_page');

                );

                Post as a guest






























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes








                up vote
                1
                down vote



                accepted











                [...] tried to view only source and destination field of that line.




                I would use grep. Something like this:



                echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
                SRC=192.168.1.10 DST=192.168.1.20


                In your case it would become:



                tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'





                share|improve this answer
























                  up vote
                  1
                  down vote



                  accepted











                  [...] tried to view only source and destination field of that line.




                  I would use grep. Something like this:



                  echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
                  SRC=192.168.1.10 DST=192.168.1.20


                  In your case it would become:



                  tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'





                  share|improve this answer






















                    up vote
                    1
                    down vote



                    accepted







                    up vote
                    1
                    down vote



                    accepted







                    [...] tried to view only source and destination field of that line.




                    I would use grep. Something like this:



                    echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
                    SRC=192.168.1.10 DST=192.168.1.20


                    In your case it would become:



                    tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'





                    share|improve this answer













                    [...] tried to view only source and destination field of that line.




                    I would use grep. Something like this:



                    echo "Jan 1 21:41:19 x kernel: [838760.885218] IPTables-Dropped: IN=eth0 OUT= MAC=x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:x:00:x:00:00:x:00:x:x:x:x SRC=192.168.1.10 DST=192.168.1.20 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=37739 DPT=53 LEN=50" | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'
                    SRC=192.168.1.10 DST=192.168.1.20


                    In your case it would become:



                    tailf /var/log/kern.log | egrep -o 'SRC=[0-9.]* DST=[0-9.]*'






                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jan 5 at 13:14









                    maulinglawns

                    5,5082822




                    5,5082822






















                        up vote
                        0
                        down vote













                        Find out the maximum column exsists from below command



                        awk 'print NF' /var/log/kern.log/sort -rn | head -1 and assigned that value in for loop maximum value



                        From given input maximum column exsists is 22 so we assigned the value in 22 in for loop



                        for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done

                        output
                        SRC=x.x.x.x
                        DST=x.x.x.x





                        share|improve this answer
























                          up vote
                          0
                          down vote













                          Find out the maximum column exsists from below command



                          awk 'print NF' /var/log/kern.log/sort -rn | head -1 and assigned that value in for loop maximum value



                          From given input maximum column exsists is 22 so we assigned the value in 22 in for loop



                          for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done

                          output
                          SRC=x.x.x.x
                          DST=x.x.x.x





                          share|improve this answer






















                            up vote
                            0
                            down vote










                            up vote
                            0
                            down vote









                            Find out the maximum column exsists from below command



                            awk 'print NF' /var/log/kern.log/sort -rn | head -1 and assigned that value in for loop maximum value



                            From given input maximum column exsists is 22 so we assigned the value in 22 in for loop



                            for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done

                            output
                            SRC=x.x.x.x
                            DST=x.x.x.x





                            share|improve this answer












                            Find out the maximum column exsists from below command



                            awk 'print NF' /var/log/kern.log/sort -rn | head -1 and assigned that value in for loop maximum value



                            From given input maximum column exsists is 22 so we assigned the value in 22 in for loop



                            for ((i=1;i<=22;i++)); do tail -f /var/log/kern.log |awk -v i="$i" '$i ~ "SRC" print $i';tail -f /var/log/kern.log | awk -v i="$i" '$i ~ "DST" print $i' ; done

                            output
                            SRC=x.x.x.x
                            DST=x.x.x.x






                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Jan 5 at 14:16









                            Praveen Kumar BS

                            1,010128




                            1,010128




















                                up vote
                                0
                                down vote













                                What did you expect? The line doesn't contain DST:. Use



                                sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'


                                to remove everything part the match inside the ()






                                share|improve this answer
























                                  up vote
                                  0
                                  down vote













                                  What did you expect? The line doesn't contain DST:. Use



                                  sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'


                                  to remove everything part the match inside the ()






                                  share|improve this answer






















                                    up vote
                                    0
                                    down vote










                                    up vote
                                    0
                                    down vote









                                    What did you expect? The line doesn't contain DST:. Use



                                    sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'


                                    to remove everything part the match inside the ()






                                    share|improve this answer












                                    What did you expect? The line doesn't contain DST:. Use



                                    sed -n 's/.*(SRC=.*DST=[^ ]).*/1/p'


                                    to remove everything part the match inside the ()







                                    share|improve this answer












                                    share|improve this answer



                                    share|improve this answer










                                    answered Jan 5 at 15:57









                                    Philippos

                                    5,90211545




                                    5,90211545






















                                         

                                        draft saved


                                        draft discarded


























                                         


                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function ()
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f414956%2fhow-to-fillter-and-view-only-a-substring-of-ip-table-logs-with-tailf-and-sed%23new-answer', 'question_page');

                                        );

                                        Post as a guest













































































                                        Popular posts from this blog

                                        How to check contact read email or not when send email to Individual?

                                        Displaying single band from multi-band raster using QGIS

                                        How many registers does an x86_64 CPU actually have?