Hello everyone. I need some help writing a perl script. I have been going crazy trying to write this script. I should mentiont that I am new to Perl, so I am learning as much as I can.

Here is what I want to do:I am trying to extract information from a firewall log and put it into a new file. I only want to extract certain pieces of information. Here are a few examples:

Let me show what I am trying to pull out of the file:

03/13/03 16:44:56 kernel Temporarily blocking host 212.241.116.21

(This is where the inital block occurs, the firewall will then continue to block all attempts from this IP address.I would like to extract all entries in the firewall like this one.)

03/13/03 16:44:57 firewalld103 deny in eth0 48 tcp 20 117 212.241.11.21 209.126.xxx.xxx 4449 80 syn (LO-Proxied-HTTP)

(At this point, the firewall continues to block the attempt. I would like to extract all lines in the firewall that contain this as well...contains very useful information such as ports and packet sizes.)

With that in mind, can I ask for someone to help me build my script? I feel like I am butting my head against a wall. I know I have much to learn, but can learn a lot from seeing the script and breaking it down to see how it functions.

I really need help. If someone can help me write this script, I would be extremely grateful.

Thanks.

Tarballed

If you want to put the info in a new file then try this
You could also set it to send an e-mail alert when it initially blocks a host.

Hey, Thanks david_ross. That really helps. Here is a little snip from the result:

1172908 04/05/03 03:42:52 y kernel Temporarily blocking host 217.162.109.213

It grabs the time, date and host it is blocking.

With that in mind, let me ask if there is something else I can add to this script to further grab the information.

The little script effectively was able to accomplish this part of my goal:

03/13/03 16:44:56 kernel Temporarily blocking host 212.241.116.21

grabbing this information.

Now, is it possible to add something else to the script so I can extract instances like the following:

03/13/03 16:44:57 firewalld103 deny in eth0 48 tcp 20 117 212.241.11.21 209.126.xxx.xxx 4449 80 syn (LO-Proxied-HTTP

Same IP address, just another entry in the log.

This possible?

I really appreciate your help. This is great. I am starting to understand it more.

Tarballed

Hello again.

Here is a little snip from my firewall showing more info of what I want to extract:

04/09/03 15:34 kernel: Temporarily blocking host 172.174.112.156
04/09/03 15:34 firewalld[104]: deny in eth0 60 icmp 20 116 172.174.112.156 209.126.131.11 8 0 (Ping)
04/09/03 15:34 firewalld[104]: deny in eth0 60 icmp 20 116 172.174.112.156 209.126.131.12 8 0 (blocked site)

Maybe I can use the worked BLOCKED as a expression. Thus, I could pull any entries that have blocked in them and put it into a file?

That possible?

Tarballed

I thought I had done with scond part of the line
if($line =~ /kernel Temporarily blocking host/ || $line =~ /deny in eth/)

Can you post the EXACT copied ouput in a CODE block so I can try it myself.

lol

You want the output of the file?
Or just the entire script?


Tarballed

Sorry if that sounds odd...i've had a long day. :/

Which are the exact messages? They are different in both posts.

Oh, my mistake. Sorry about that. I was trying to get some additional information that may be helpful. I showed two different instances of blocking going on against different IP addresses. Both have the same results, just different IP addresses.

Here are the lines I would like to block:


04/09/03 15:34 kernel: Temporarily blocking host 172.174.112.156

(This is the initial block and goes into a temporarily blocked list...any attempts after that have something similiar, like below)

04/09/03 15:34 firewalld[104]: deny in eth0 60 icmp 20 116 172.174.112.156 209.126.131.12 8 0 (blocked site)

Same IP address, just a different response. You can see here (blocked site) is why it is being blocked.

Possible to set it up to use 'blocked' as what to look for, and grab the whole line?

I hope this is helpful and what you are looking for.

Tarballed

david_ross,

The extracts from the previous post are exactly how they come out of the firewall log.

I hope this is what you needed. If not let me know and I will get what you need asap.

T

The differences were actually the :s
03/13/03 16:44:56 kernel Temporarily blocking host 212.241.116.21
04/09/03 15:34 kernel: Temporarily blocking host 172.174.112.156

You can set the script to pick up whatever you want - just modify the if statement.

In this case the lines containing "foo", "bar" and "chocolate bar" will be put in the new file.
if($line =~ /foo/ || $line =~ /bar/ || $line =~ /chocolate bar/){

The expression "$line =~ /foo/" says - look for "foo" in variable "$line". As $line is not modified we can just append $line to the file and we get the whole line.

You can replace "foo" with any regular expression you want. Take a look at these examples:
http://goldenink.com/perl/regexp1.html

Let me know if you run into difficulty.

Ahh, I see.

Very interesting.
Now that I understand how to pick out a certain line of text,
can I setup another string to pick out additional text? For instance, if the word blocked appears anywhere in the file, can I add that to this script as well and output it to the same file?

Thanks again.

Tarballed

Yes - just add it to the list. Make sure the list items are seperated by 2 pipes || this is the equivilent of the or command.

You are a life saver!

Thank you very much. I understand a ton more know of what I can and cannot do with perl now.

I justneed more practice.

Thanks a ton!

Tarballed

No probelem - let me know if want an example where you are issued with an e-mail alert or something when the host is first blocked.