The solution from marozsas is innovative but I'm not sure I can chain it together like I can with the "-e" option of sed. It also keeps information outside of just the data I want. What I am looking to do is filter a number of lines (firewall logs) that will have similar data but things that are always different (timestamps).
One of my colleges that does a lot of system administration suggested the following:
Code:
sed -n 's/.*rule: \(.*\); rule_uid.*/\1/p'
This works well and can probably be chained with "-e", but I'm not sure I can confirm that "rule_uid" will **always** follow "rule:"
So what I am looking for is a way to turn a line like this:
19Aug2008 14:13:38 208.246.35.27 rule: 56; rule_uid: {7C56FACF1-638C-4BA-B400-65513F787C}; rule_name: 56 - This is a Test; service_id: smtp_30; src: 192.68.10.23; dst: 10.80.110.20; proto: tcp; service: smtp_30; s_port: 49594;
Into something like this:
source: 192.168.10.23 destination: 10.80.110.20 protocol: tcp service: smtp_30
To that I need a code snipit that can match a pattern (example: "src: ") and then match the next expression of a character (example: ";") and provide me the data in between. I also need to be able to chain it together so that I can match multiple sets of patterns on the same line (ex: src, dst, service ...).
Here are some addtional logs:
Code:
18Aug2008 17:35:56 accept 192.168.5.23 rule: 28; rule_uid: {DA2C3F50-499B3B32}; rule_name: VPN to Internal; service_id: snmp; src: 10.5.3.1; dst: 172.18.34.2; proto: udp; service: snmp; s_port: 1025;
18Aug2008 17:35:55 accept 192.168.10.8 rule: 17; rule_uid: {C730785E-6E7A2A74}; rule_name: Caching DNS to Inet; session_id: 41833; dns_query: www.google.com ; dns_type: A; service_id: domain-udp; src: 61.28.5.4; dst: 204.2.243.44; proto: udp; service: domain-udp; s_port: 33551;
18Aug2008 17:35:55 accept 192.168.10.8 rule: 22; rule_uid: {FCD9233-B070260780}; rule_name: To Internal; src: 192.168.66.42; dst: 10.24.3.6; proto: tcp; service: 1533; s_port: 44552;
-Craig