Hi Paul, Logwatch might be of some help here. It's designed to report those types of things in a summary, but you can change the detail level to get more out of the report. Most settings will be installed in /etc/logwatch.conf and /etc/logwatch(.d) or similar. And it's just a set of perl scripts, so you can always dig in the code if needed.
Cheers, sV On 15 April 2010 12:08, Paul Swafford <[email protected]> wrote: > Hi there! > > basically what I'd like is to extract date / time / ip address from the log > where a user has made a failed attempt. > > This is what I have tried... but its a bit too much info .. > > grep "authentication failure" /var/log/secure | awk '{print $0"-" $1 "-" $2 > "-->" $12 "->" $14 "->" $15}' | cut -b7- | sort | uniq -c > hack.log > > > Any hints / tips ? > > .. thanks in advance > > Paul >
