Shell Programming and Scripting

Hi:

I am using linux and trying to format logs. I have grepped for stuff like invalid users and /or error. However, the way the logs are formatted, sometimes the full error is not on the line, ie. it is on the next line. If I grep something, like:
cat /var/spool/mail/* |grep -i session |awk '{print $5}'
The information I want is in the log on the next line. Is there a way to get the following lines anyone can think of? Thanks so much for your help in advance.
Henry

You could try

Code:

awk '/error/{_=2}_&&_--' /var/spool/mail/*

Can you post a sample log file.

this is a small snippet Dan.

Illegal users from:
192.168.42.22 (impala.snas-net): 1 time

**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user henry : 1 time(s)

If I cat for illegal, I don't find out where the 'illegal' is coming from because the actual ip is on the next line. Or the next line, where I grep for unmatched but don't get the user Henry.

I'm fairly new to scripting or not very knowledgeable at this time. Thanks.

---------- Post updated at 12:57 PM ---------- Previous update was at 12:50 PM ----------

Here is another sample of the log where I want to grab the second line following the line I grepped for.

sshd:
Authentication Failures:
unknown (impala.snas-net): 1 Time(s)
Invalid Users:
Unknown Account: 1 Time(s)

I haven't been able to figure out how to insert a variable into the search field, or I'd provide that example... Here's something that will return the line that matches your search string AND the line that follows immediately afterward.

Code:

#!/bin/sh

/usr/xpg4/bin/awk '/Illegal users/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Unmatched Entries/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Authentication Failures/{_=2}_&&_--' /var/spool/mail/*
/usr/xpg4/bin/awk '/Invalid Users/{_=2}_&&_--' /var/spool/mail/*

You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.

edit ----------
that should be {_=1}

Two basic example

Code:

awk '/([Illegal|Invalid] [U|u]sers)|Authentication Failure|Unmatched Entries/{printf $0;getline;print FS $0}' file

Code:

egrep -A1 "([Illegal|Invalid] [U|u]sers)|Authentication Failure|Unmatched Entries" file

I'm getting there and I really appreciate everyone's help. Thank you all.

I tried Av's and Dan's code and they both worked. The last thing I tried was dan's awk statement, which produced this after a bit of tweaking.

**Unmatched Entries** unix_chkpwd[8788]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[13474]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[13474]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[22256]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[8788]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[13474]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[13474]: password check failed for user (henry)
**Unmatched Entries** unix_chkpwd[22256]: password check failed for user (henry)

which is very good. It seems like its looking for unmatched entries, I'm sure there's an easy way of looking for other items (multiple items) such as A or B or C. In my case it would be unmatched entries or Illegal users from? Thanks again, this has been great for me, I am finally learning how to script.

---------- Post updated at 09:56 AM ---------- Previous update was at 09:55 AM ----------

I am sorry, can you please explain this further?

You might pass the log file in as an argument - so that it's not always checking the /var/spool/mail directory.

I don't know how to pass the log file in as an argument.

Thanks.