On Thu, Apr 15, 2010 at 12:08 PM, Paul Swafford
<[email protected]> wrote:
> basically what I'd like is to extract date / time / ip address from the log
> where a user has made a failed attempt.
>
> This is what I have tried... but its a bit too much info ..
>
> grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2
> "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log
Install DenyHosts or Fail2Ban :-)
How about you show us a sample log entry that you're trying to locate
... not everyone has the same logs ...
Also, what info do you really need to extract, and why?
So ... what are fields 0 1 2 12 14 15 and why do you want them? Why do
you want them sorted into order? If you don't want the first 6 bytes
(not characters?) why are you asking awk to print them, etc etc.
Here's an Ubuntu auth.log entry :-
Apr 12 10:49:36 encode sshd[4894]: Failed password for root from
210.17.251.159 port 54129 ssh2
# grep "Failed password for" /var/log/auth.log|awk '{print $11, $9}'
210.17.251.159 root
210.17.251.159 root
...
-jim
