LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How do I grep my /var/log/secure file for the past 7 days or so many days? (https://www.linuxquestions.org/questions/linux-newbie-8/how-do-i-grep-my-var-log-secure-file-for-the-past-7-days-or-so-many-days-4175444134/)

johnmccarthy 01-04-2013 08:07 AM
How do I grep my /var/log/secure file for the past 7 days or so many days?
 
New to linux (RHEL 5) and wondered I do I grep against my /var/log/secure file to extract the last 7 days or so many days? I've read on the net how to extract a certain date range (example 1 through 15 December) but it would be to much trouble to keep entering the range when I can just get the last weeks (or more) of data. A million thanks,
Johnny Mac

Below is a part of my /var/log/secure log.

Sep 7 08:34:25 myhost sshd[6127]: Failed password for illegal user root from 62.75.999.999 port 52663 ssh2
Sep 7 08:34:26 myhost sshd[7253]: User root not allowed because listed in DenyUsers
Sep 7 08:34:28 myhost sshd[7253]: Failed password for illegal user root from 62.75.999.999 port 53393 ssh2
Sep 7 11:55:18 myhost sshd[11672]: Accepted password for gooduser from 98.999.26.41 port 43104 ssh2
Sep 7 23:01:28 myhost sshd[22438]: Did not receive identification string from 999.56.32.999
Sep 8 06:31:30 myhost sshd[21814]: Accepted password for gooduser from 98.999.26.41 port 5978 ssh2

acid_kewpie 01-04-2013 08:20 AM
well secure should be being rotated weekly if not daily. so they should already be in a limited timescale already. On a well managed system, each day /var/log/secure will be compressed at 4am, to secure.1.gz, and a new file created.

as for grepping things regardless, you just need to craft a text string which suits what you want, e.g.
Code:
grep 'Sep [4-6]' /var/log/secure
Learn regular expressions, the world is your oyster!

johnmccarthy 01-04-2013 10:48 AM
Rotate Monthly
 
I rotate monthly which is why I was wondering if I could extrapulate based on a time-frame not date.

syg00 01-04-2013 10:56 AM
Code:
date -d "last week"

acid_kewpie 01-04-2013 04:57 PM
Quote:
Originally Posted by johnmccarthy (Post 4862961)
I rotate monthly which is why I was wondering if I could extrapulate based on a time-frame not date.
so no, you can't do it on a timeframe, you need to treat it all as text in grep.

unSpawn 01-04-2013 09:43 PM
Quote:
Originally Posted by johnmccarthy (Post 4862833)
New to linux (RHEL 5) and wondered I do I grep against my /var/log/secure file to extract the last 7 days or so many days?
Code:
# Use like 'greprange 14 /var/log/secure':
greprange() { for ((i="$1";i>0;i--)); do grep $(date --date="$i days ago" +'^%b %e.*sshd') "$2"; done; }

Quote:
Originally Posted by johnmccarthy (Post 4862833)
[code]
Sep 7 08:34:25 myhost sshd[6127]: Failed password for illegal user root from 62.75.999.999 port 52663 ssh2
Sep 7 08:34:26 myhost sshd[7253]: User root not allowed because listed in DenyUsers[code]
If this is about reporting also see Logwatch.
If this is about countering brute force logins see fail2ban.


All times are GMT -5. The time now is 10:58 AM.