I am by no means a programmer but I would love to learn. Problem is I have a real problem that needs a script asap.

I need to write a script that can parse a logfile and pull out unique ip address from the source address column and create a file with the name of the ip address as the filename. Then when a destination IP addresses matches the source address of a file it appends that unique destination address and port to that file.

So what im trying to do is create a file for each infected computer and append inside that file all the hosts they are trying to infect.

Here is a snippet of the logfile.

-----------------------------------------------------------------------
2007-08-30 11:31:52,Syslog.Info,10.254.5.164,"26838: Aug 30 11:31:50: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.5.167.246(4086) -> 10.184.232.130(1433), 1 packet"
2007-08-30 11:31:52,Syslog.Info,10.254.6.24,"432042: pik-router: Aug 30 11:31:52: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.253.220.42(1509) -> 10.25.50.154(1433), 1 packet"
2007-08-30 11:31:52,Syslog.Info,10.254.3.176,"492962: lco-router: Aug 30 11:31:52: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.3.179.232(2661) -> 10.45.253.12(1433), 1 packet"
2007-08-30 11:31:52,Syslog.Info,10.254.5.240,"4841: .Aug 30 11:31:52: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.253.218.171(1532) -> 10.246.248.36(1433), 1 packet"
2007-08-30 11:31:52,Syslog.Info,10.254.5.240,"4842: .Aug 30 11:31:53: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.253.218.171(1564) -> 10.25.5.144(1433), 1 packet"
2007-08-30 11:31:52,Syslog.Info,172.20.7.13,"495539: ba2-router: Aug 30 11:31:52: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.253.221.172(2346) -> 10.30.165.137(445), 1 packet"
2007-08-30 11:31:52,Syslog.Info,10.254.0.244,"473266: nac-router: Aug 30 11:31:52: %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.247.183(3230) -> 10.155.217.188(1433), 1 packet"

don't assume we all know the structure of your log file....
what is the source and what is the destination addresses in the given sample?
given a posted sample log, what is the desired output?

Sorry good point.

After the "list 199 denied" the first IP address is the source and the 2nd IP address is the destination.

the output im looking for is a file created for each unique "source" and an append to that file of each destination that matches each unique source.

So far i have come up with this but its not working.

#!/bin/ksh
PATH=$PATH
vDIR_OUT=/cygdrive/c/tmp
vLOG_OUT=${vDIR_OUT}/ipmon.out
vSYSLOG=/cygdrive/v/Routers.txt
vSYSLOG_OUT=${vDIR_OUT}/syslog.log.new
vCOUNTER_FILE=${vDIR_OUT}/counter.out

export PATH vDIR_OUT vLOG_OUT vSYSLOG_OUT vCOUNTER_FILE FINAL


#############################################
## Create a counter to get only the new
## lines from the syslog.log.
#############################################

#print "\nStarting Counter, please be patient...\n"

#FINAL=$(cat ${vCOUNTER_FILE})
#typeset -i START=0
#
#cat ${vSYSLOG}|while read vLINE
#do
#((START=START+1))
#if [[ ${START} -gt ${FINAL} ]]
#then
##print "${vLINE}"
#fi
#done > "${vSYSLOG_OUT}"
#print "${START}" #> "${vCOUNTER_FILE}"

#################################
## Now collect new data into
## a folder for each IP address.
#################################

awk '/tcp/ && !/awk/ {printf("%s %s\n", $(NF-4),$(NF-2))}' ${vSYSLOG_OUT} |sort -u> ${vLOG_OUT} 2>&1
while read -r vIP
do
vSOURCE_IP=$(print ${vIP}|awk -F"(" '{print $1}')
[ ! -d ${vSOURCE_IP} ] && mkdir ${vSOURCE_IP}
[ -d ${vSOURCE_IP} ] && print "Folder ${vSOURCE_IP} already exist"
print "Appending ${vIP} to ${vSOURCE_IP}"
print "${vIP}"|awk -F, '{print $1,$2}' >> ${vSOURCE_IP}/${vSOURCE_IP}.txt
done < ${vLOG_OUT}