Bash script for server log (namely var/log/messages)
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bash script for server log (namely var/log/messages)
Hi all,
I need a bash script to traverse a filesystem from a server, and look for suspicious activity. This is mainly suspicious activity in the messages log, such as port probing from the same ip address, repeated failed login attempts etc.
Ive managed to traverse the filesystem but could do with a hand on looking for suspicious activity as I am not used to checking server logs.
Any help with the script or how to identify indicators of suspicious activity appreciated.
that would depend on what you actually want to find and also understanding of the log format.
for example, if your applications log to file using "failed","Failed","Error" etc, then you might want to use grep/awk/sed on these words..
I had a search through for failed logins, but there doesnt appear to be any. I've been told there has been some port probing, but i wouldnt know the first place to look for that. An example of the log, after server startup, is:
The script is part of a project im doing, so i have to write the majority myself, although i can adapt scripts already out there. I imagine my script doesn't need to be as polished/complete as those either. Thanks for the suggestion though.
looking at your log , SRC and DST values (even SPT and DPT) may be useful. because you will have a list of internal LAN IPs and IP segments ( i assume you have), you can write script to check SRC values, if they are not in your internal IP list, then you can filter them out. You can also count the number of times the same time value comes out. eg count how many occurences of 13:20:53. ( or even 13:20 within the minute )
etc..the list goes on..
Thanks ghostdog, that sounds like something i should do, any tips on how to code that?
I was also thinking maybe checking if the same src ip address is probing different ports on the system. If anyone could help with the code for what ghostdog suggested or the probing issue id be grateful.
EDIT: Just so its clear, i need my script to traverse the server filesystem and once it finds the messages log file to read through it for suspicious activity (as mentioned above, things like port probing etc).
Any other files it could chek on for suspicious activity is a bonus, as are other suspicious things to look out for in the messages log.
Thanks,
Bob.
Last edited by tenaciousbob; 05-18-2007 at 01:50 AM.
Thanks ghostdog, that sounds like something i should do, any tips on how to code that?
what's your scripting experience like?
this is quite a task, but i just give you some suggestion. you can use sed/grep/awk/perl/python to do file processing...i give a short example in awk
Code:
awk '
{
for (i=1;i<=NF;i++){
if ($i ~ /SRC/) {
sub(/^SRC=/,"",$i)
srcip[$i]++
}
}
}
END{
for (i in srcip ){
print srcip[i] , i
}
}' logfile
output:
Code:
# ./test.sh
5 127.0.0.1
6 10.0.2.15
the script above just count the number of source ips and displaying them out at the end. so by viewing the output if you get a lot of transactions from a single ip, you can start investigating..
Just an example, but it shows you how you can proceed on. similarly, this can be done in other language tools .
Thanks for that ghostdog, i tried it but i keep getting a syntax error near line 5 (once you have #!/bin/bash at the top). I have some coding experience, but im stuck on this.
Thanks for that ghostdog - the server im working on has nawk and the script is working perfectly now.
Is there any way of adding to the script so that it would count the ip's as it does now, but also count the destination ports too. So for example if ip 10.0.2.15 probed destination port 984 10 times, it would display '10.0.2.15 probed port 984 10 times'
I tried fiddling about adding another array to count ips which worked, but it obviously didnt make the connection with the ip's too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.