Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

/var/log/messages Parser

Started by tgo , Dec 07 2005 10:18 PM

Please log in to reply

1 reply to this topic

#1 tgo

Private

Members
10 posts

Posted 07 December 2005 - 10:18 PM

Here is a little script to parse /var/log/messages. If you run sshd on port 22 you know how many times you get bruteforced by zombies and this should make parsing the logs easier.

The code should be pretty easy to read and understand so i didnt comment anything.

Usage:

root@blackdragon:/home/tgo/perl# perl log.pl
------- Report for 127.0.0.1 -----------
Total Entries: 1
Accepted Logins: 0
Failed Logins: 1
------- Report for 192.168.1.100 -----------
Total Entries: 6
Accepted Logins: 6
Failed Logins: 0
root@blackdragon:/home/tgo/perl#

Code:

#!/usr/bin/perl

# /var/log/messages parser coded by tgo
# http://www.anomalous-security.org

use warnings;

open(F,"/var/log/messages") or die($!);

my %ips;

while(<F>)
{
	if ($_ =~ /(\d+\.\d+\.\d+\.\d+)/)
	{
		$ip = $1;	
	
		if ($_ =~ /Accepted/)
		{
		$action = "accepted";
		}	
		elsif($_ =~ /Failed password/)
		{
		$action = "failed";		
		}
		else
		{
		next;
		}

		if (defined($ips{$ip}{$action}))
		{
		$ips{$ip}{$action} = $ips{$ip}{$action} + 1;
		}
		else
		{
		$ips{$ip}{$action} = 1;
		}				
	}
}

close(F);

for my $ip ( keys %ips )
{
	$ips{$ip}{'accepted'} = 0 unless (defined($ips{$ip}{'accepted'}));
	$ips{$ip}{'failed'} = 0 unless (defined($ips{$ip}{'failed'}));

	$total = $ips{$ip}{'accepted'} + $ips{$ip}{'failed'};

	print "------- Report for $ip -----------\n";
	print "Total Entries: " . $total . "\n";
	print "Accepted Logins: " . $ips{$ip}{'accepted'} . "\n";
	print "Failed Logins: " . $ips{$ip}{'failed'} . "\n";
}

Back to top

#2 jcmulle

Private

Members
1 posts

Posted 17 October 2007 - 01:14 PM

[quote name='tgo' post='134909' date='Dec 8 2005, 12:18 AM']Code:

#!/usr/bin/perl# /var/log/messages parser coded by tgo# [url="http://www.anomalous-security.org"]http://www.anomalous-security.org[/url]use warnings;open(F,"/var/log/messages") or die($!);my %ips;while(){    if ($_ =~ /(\d+\.\d+\.\d+\.\d+)/)    {        $ip = $1;                if ($_ =~ /Accepted/)        {        $action = "accepted";        }            elsif($_ =~ /Failed password/)        {        $action = "failed";                }	elsif($_ =~ /Invalid/)	{	$action = "invalid";	}        else        {        next;        }        if (defined($ips{$ip}{$action}))        {        $ips{$ip}{$action} = $ips{$ip}{$action} + 1;        }        else        {        $ips{$ip}{$action} = 1;        }                    }}close(F);for my $ip ( keys %ips ){    $ips{$ip}{'accepted'} = 0 unless (defined($ips{$ip}{'accepted'}));    $ips{$ip}{'failed'} = 0 unless (defined($ips{$ip}{'failed'}));    $ips{$ip}{'invalid'} = 0 unless (defined($ips{$ip}{'invalid'}));    $total = $ips{$ip}{'accepted'} + $ips{$ip}{'failed'} + $ips{$ip}{'invalid'};    print "------- Report for $ip -----------\n";    print "Total Entries: " . $total . "\n";    print "Accepted Logins: " . $ips{$ip}{'accepted'} . "\n";    print "Failed Logins: " . $ips{$ip}{'failed'} . "\n";    print "Invalid User: " . $ips{$ip}{'invalid'} . "\n";}