Government Security
Network Security Resources

Jump to content

Photo

/var/log/messages Parser

- - - - - security perl ssh
  • Please log in to reply
1 reply to this topic

#1 tgo

tgo

    Private

  • Members
  • 10 posts

Posted 07 December 2005 - 10:18 PM

Here is a little script to parse /var/log/messages. If you run sshd on port 22 you know how many times you get bruteforced by zombies and this should make parsing the logs easier.

The code should be pretty easy to read and understand so i didnt comment anything.

Usage:
root@blackdragon:/home/tgo/perl# perl log.pl
------- Report for 127.0.0.1 -----------
Total Entries: 1
Accepted Logins: 0
Failed Logins: 1
------- Report for 192.168.1.100 -----------
Total Entries: 6
Accepted Logins: 6
Failed Logins: 0
root@blackdragon:/home/tgo/perl#

Code:
#!/usr/bin/perl

# /var/log/messages parser coded by tgo
# http://www.anomalous-security.org

use warnings;

open(F,"/var/log/messages") or die($!);

my %ips;

while(<F>)
{
	if ($_ =~ /(\d+\.\d+\.\d+\.\d+)/)
	{
		$ip = $1;	
	
		if ($_ =~ /Accepted/)
		{
		$action = "accepted";
		}	
		elsif($_ =~ /Failed password/)
		{
		$action = "failed";		
		}
		else
		{
		next;
		}

		if (defined($ips{$ip}{$action}))
		{
		$ips{$ip}{$action} = $ips{$ip}{$action} + 1;
		}
		else
		{
		$ips{$ip}{$action} = 1;
		}				
	}
}

close(F);

for my $ip ( keys %ips )
{
	$ips{$ip}{'accepted'} = 0 unless (defined($ips{$ip}{'accepted'}));
	$ips{$ip}{'failed'} = 0 unless (defined($ips{$ip}{'failed'}));

	$total = $ips{$ip}{'accepted'} + $ips{$ip}{'failed'};

	print "------- Report for $ip -----------\n";
	print "Total Entries: " . $total . "\n";
	print "Accepted Logins: " . $ips{$ip}{'accepted'} . "\n";
	print "Failed Logins: " . $ips{$ip}{'failed'} . "\n";
}


#2 jcmulle

jcmulle

    Private

  • Members
  • 1 posts

Posted 17 October 2007 - 01:14 PM

[quote name='tgo' post='134909' date='Dec 8 2005, 12:18 AM']Code:
#!/usr/bin/perl# /var/log/messages parser coded by tgo# [url="http://www.anomalous-security.org"]http://www.anomalous-security.org[/url]use warnings;open(F,"/var/log/messages") or die($!);my %ips;while(){    if ($_ =~ /(\d+\.\d+\.\d+\.\d+)/)    {        $ip = $1;                if ($_ =~ /Accepted/)        {        $action = "accepted";        }            elsif($_ =~ /Failed password/)        {        $action = "failed";                }	elsif($_ =~ /Invalid/)	{	$action = "invalid";	}        else        {        next;        }        if (defined($ips{$ip}{$action}))        {        $ips{$ip}{$action} = $ips{$ip}{$action} + 1;        }        else        {        $ips{$ip}{$action} = 1;        }                    }}close(F);for my $ip ( keys %ips ){    $ips{$ip}{'accepted'} = 0 unless (defined($ips{$ip}{'accepted'}));    $ips{$ip}{'failed'} = 0 unless (defined($ips{$ip}{'failed'}));    $ips{$ip}{'invalid'} = 0 unless (defined($ips{$ip}{'invalid'}));    $total = $ips{$ip}{'accepted'} + $ips{$ip}{'failed'} + $ips{$ip}{'invalid'};    print "------- Report for $ip -----------\n";    print "Total Entries: " . $total . "\n";    print "Accepted Logins: " . $ips{$ip}{'accepted'} . "\n";    print "Failed Logins: " . $ips{$ip}{'failed'} . "\n";    print "Invalid User: " . $ips{$ip}{'invalid'} . "\n";}






Also tagged with one or more of these keywords: security, perl, ssh