Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm not a programmer and barely a scripter (compared to many of the God here) so I'm having a hard time deciding what I should do in parsing the snare.log file. I only need a bit of information from certain lines. For instance when someone logs in with SSH, I want to know when, who, successful/unsuccessful and from where.
The problem with this command is that the output data isn't always located in the same column. So UID might be $21 for one entry and $22 for the next. An example would be like:
Code:
Date = 22:22:43 event login_start 20100907 UID = acct mijohnst From = addr 127.0.0.1
Date = 22:22:43 event login_auth 20100907 UID = addr 127.0.0.1 From = auid 500 mijohnst
So I guess my question is, what's the best way to proceed? I'm thinking somehow I should be able to write a function that assigns the beginning of certain columns with a veritable, ie. any line beginning with "acct" would automatically be written into a variable called $ACCOUNT. Does that make sense?
I don't expect anyone to know this, I guess I'm still trying to solve it out in my head and it's helping to write it down, think about it and hope someone might have a direction to point me. As always, thanks again!
Well, you have to buy sawmill and I was looking at something to work with that I already have... Also, I audit and roll my logs every week. Thanks for the suggestion though.
Thanks for the suggestion Quanta. OSSEC looks good but I don't want to have to install agents, enable httpd or anything like that. I have a whole security process that I would have to go through in order to allow use of something like OSSEC or Sawmill. I want to keep it simple...which means just parse the snare.log file for the week and then roll them off the machines. Anyway, thanks for the suggestion.
I'm reasonably fluent at parsing text strings with bash but would choose awk for this task; it could be done in bash but would be difficult to write in a transparent way and so difficult to maintain. Please say if using awk is not acceptable for you and I'll see if anything half-comprehensible can be written in bash but I'll need an example of every type of line from the log.
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,233
Rep:
in that case i would probably use cut with a for loop and an if statement to check for the word UID, then base the rest of the parsing for the line from the results of that
in pseudo code
Code:
for [c=1;c<=(a large number);c=c+1]
do
if [`cut (delimeter = space colum=$c)` == 'UID']
then
uidcolum=c
break
fi
done
this might not be the best idea but it should work note the backtics (`) tell the shell that the part between them is a shell command
Thanks very much for the responses guys! Some very good ideas here. I wish I knew more about python because I've heard it's powerful. I think however I'm going to go with the awk script...only because I know more about it and I have the sed/awk books on hand. When I figure it out I'll post it here In hopes it will help others.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.