mijohnst |
09-08-2010 10:09 PM |
Parse log file with bash
I'm not a programmer and barely a scripter (compared to many of the God here) so I'm having a hard time deciding what I should do in parsing the snare.log file. I only need a bit of information from certain lines. For instance when someone logs in with SSH, I want to know when, who, successful/unsuccessful and from where.
So one entry from the snare log looks like this:
Code:
vm-rhel5 LinuxKAudit criticality,0 event,login_start,20100907 22:22:43 uid,0,root id, gid,0,root euid,,root egid,,root process,32519,ssh return,0,yes acct,mijohnst addr,127.0.0.1 auid,500,mijohnst exe,/usr/sbin/sshd hostname,vm-rhel5 msg,PAM session open subj,system_u:system_r:unconfined_t:s0-s0:c0.c1023 terminal,ssh
Of coarse everything I need is in this entry, but how do I pick through what I don't need. I've written a short command to help.
Code:
egrep "return\,0\,yes" /var/log/audit/audit.log | awk '{print "Date = " $5" "$4"\t\tUID = "$13"\t\tFrom = "$14}'
The problem with this command is that the output data isn't always located in the same column. So UID might be $21 for one entry and $22 for the next. An example would be like:
Code:
Date = 22:22:43 event login_start 20100907 UID = acct mijohnst From = addr 127.0.0.1
Date = 22:22:43 event login_auth 20100907 UID = addr 127.0.0.1 From = auid 500 mijohnst
So I guess my question is, what's the best way to proceed? I'm thinking somehow I should be able to write a function that assigns the beginning of certain columns with a veritable, ie. any line beginning with "acct" would automatically be written into a variable called $ACCOUNT. Does that make sense?
I don't expect anyone to know this, I guess I'm still trying to solve it out in my head and it's helping to write it down, think about it and hope someone might have a direction to point me. As always, thanks again!
|