Filter authlog

With this script you can filter the authlog log file,

Script usage

./fauthlog.sh <ip list file> <authlog file> <word> [-z]

<ip list file>       #file with trusted ip adresses on each line
<authlog file>   #authlog location, /var/log/authlog
<word>            #pettern to grep from output, ‘Accept’ for all accepted logins
-z                     #use zcat, for gziped log rotate log files, do not forgot the quotes

How it works

First put some know ip adresses in iplist.txt

iplist.txt
240.18.47.62

Display all logins from unknow ip adresses in /var/log/auth.log

./authlog.sh iplist.txt “/var/log/auth.log.*.bz2” Accept -z
zcat /var/log/auth.log.*.bz2|egrep -v “240.18.47.62” |grep “Accept”
Feb 18 10:10:52 ams0 sshd[32243]: Accepted keyboard-interactive/pam for fred from 240.132.232.157 port 1132 ssh2
Feb 18 14:38:03 ams0 sshd[40016]: Accepted keyboard-interactive/pam for fred from 240.132.232.157 port 1835 ssh2

Some one was loged in on Fred’s account from a unknown ip address

The code


#!/usr/local/bin/bash
if  [ ! $3 ]; then
 echo "usage: $0 <ip list file> <authlog file> <word> [-z]"
 echo "         <ip list file> #file with trusted ip adresses on each line"
 echo "         <authlog file> #authlog location, /var/log/authlog"
 echo "         <word>         #pettern to grep from output, 'Accept' for all accepted logins"
 echo "         -z             #use zcat, for gziped log rotate log files, do not forgot the quotes"
 echo "         $0 iplist.txt \"/var/log/authlog.*\" Accept -z"
 exit 1
fi

declare -a input

exec< $1

input=[]

while read line
do
 output="$output$line|";
done
echo "cat $2 |egrep -v \"${output%\|}\" |grep \"$3\""
if  [ ! $4 ]; then
 cat $2 |egrep -v "${output%\|}" |grep "$3"
else
 zcat $2 |egrep -v "${output%\|}" |grep "$3"
fi

Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.

Comments

No comments yet.

Leave a comment

(required)

(required)