Hi, I didn't find anything for immediate use to tabulate occurrences in shorewall ulog files and so I wrote the below script after doing similarly on the command line. I needed it to focus in on behavior that showed up at a higher level. I offer it below for general use via GPL. I believe there are no present bugs, however I keep polishing (revising) it and don't do any systematic regression testing and so can offer no guarantees, nor any particular coding standard.
-jeff #!/bin/ksh # # Author: Jeff Green (2-1-09) # nb: This cmd requires the input to be in ulog format # License: GPLv3 or any later GPL license. # prog=`basename $0` usage() { echo "Usage: [ zcat zipped_ulog_files | ] cat ulog_files [-] | $prog [-utsdnSDOh] pattern" } help() { echo -e "\ \t-u\trestricted to UDP messages \n\ \t-t\trestricted to TCP messages \n\ \t-s\ttablulate source IP addresses \n\ \t-d\ttablulate destination IP addresses \n\ \t-S\ttablulate source PORT numbers \n\ \t-D\ttablulate destination PORT numbers \n\ \t-n\tdo not output day tabulation table \n\ \t-O\toutput a sorted (Ordered) by count table \n\ \t-h\tThis message"; } unset UDP TCP FKEY ENUM NODATE PORT PKEY argcnt=0 while getopts utsdnSDOh opt ; do case "$opt" in u) UDP='| grep "PROTO=UDP" ' ; argcnt=$((argcnt+1)) ;; t) TCP='| grep "PROTO=TCP" ' ; argcnt=$((argcnt+1)) ;; s) ENUM=1 ; FKEY=9 ; argcnt=$((argcnt+1)) ;; d) ENUM=1 ; FKEY=10 ; argcnt=$((argcnt+1)) ;; n) NODATE=1 ; argcnt=$((argcnt+1)) ;; S) ENUM=1 ; PORT=1 ; PKEY=1 ; argcnt=$((argcnt+1)) ;; D) ENUM=1 ; PORT=1 ; PKEY=2 ; argcnt=$((argcnt+1)) ;; O) ORDERED='sort -n -t":" -k2' ; argcnt=$((argcnt+1)) ;; h) usage; help; exit 0 ;; *) usage; exit 1 ;; esac done if [ ! -z "$UDP" -a ! -z "$TCP" ] then echo "$prog: both -u and -t cannot be set" exit 1 fi if [ ! -z "$ORDERED" -a -z "$FKEY" -a -z "$PKEY" ] then echo "$prog: -O option is irrelevant w/o the -s, -d, -S, or -D option" exit 1 fi shift $argcnt if [ $# -ne 1 ] then usage exit 1 fi unset CNT CIP CPORT [ -z "$NODATE" ] && typeset -A CNT [ ! -z "$ENUM" ] && typeset -A CIP [ ! -z "$ENUM" -a ! -z "$PORT" ] && typeset -A CPORT ITER=0 CMD="grep \"$1\" ${UDP:-} ${TCP:-}" cat - | sh -c "$CMD" | while read line do if [ -z "$NODATE" ] then DATE=`echo $line | cut -d' ' -f1-2 | tr " " "_"` CNT["$DATE"]=$((CNT["$DATE"] + 1)) fi if [ ! -z "$ENUM" -a ! -z "$FKEY" ] then DST=`echo $line | cut -d' ' -f${FKEY} | cut -d'=' -f2` CIP[$DST]=$((CIP[$DST]+1)) fi if [ ! -z "$ENUM" -a ! -z "$PORT" ] then PT=`echo $line | sed -e 's/^.*SPT=/SPT=/' | cut -d' ' -f${PKEY} | cut -d'=' -f2` CPORT[$PT]=$((CPORT[$PT]+1)) fi done if [ -z "$NODATE" ] then for i in ${!CNT[*]} do echo $i - ${CNT["$i"]} done | sort -t' ' -k1 fi if [ ! -z "$ENUM" -a ! -z "$FKEY" ] then for i in ${!CIP[*]} do echo "$i:${CIP[$i]}" done | sh -c "${ORDERED:-cat -}" fi if [ ! -z "$ENUM" -a ! -z "$PORT" ] then for i in ${!CPORT[*]} do echo "$i:${CPORT[$i]}" done | sh -c "${ORDERED:-cat -}" fi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org