Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Parsing kiwi syslog from Astaro

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Parsing kiwi syslog from Astaro
# 1  
Old 05-02-2011
Parsing kiwi syslog from Astaro
Hello,

I am trying to parse this syslog pulling out and logging results to a file. The information I want is: scrip, scrport, dstip, dstport. I just want the numbers, not including the text part ie srcip=". Problem is, the column locations change, so I can't use the nice awk $1 $2 etc to idenify the wanted data. I have read enough scripting posts that my head is spinning. It seems, everyones columns stay the same, hence my issue. Here is a snippit of the log file:

Code:
2011-04-30 22:37:01    Daemon.Info    192.168.1.1    2011:04:30-22:37:07 ulogd[4777]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth1" srcmac="0:26:18:1c:78:e0" dstmac="0:c:f1:88:90:5c" srcip="192.168.1.3" dstip="65.55.158.118" proto="17" length="89" tos="0x00" prec="0x00" ttl="127" srcport="55353" dstport="3544" 
2011-04-30 22:37:03    Daemon.Info    192.168.1.1    2011:04:30-22:37:09 ulogd[4777]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1" srcmac="0:1:5c:31:9d:1" dstmac="0:9:5b:9:48:ce" srcip="172.29.255.12" dstip="224.0.0.1" proto="2" length="32" tos="0x00" prec="0xc0" ttl="1"

Notice that some lines have, outitf and others do not. Any help will be greatly apprciated. I want to stick with learning scripting, but this is driving me crazy.

Thanks again,
Bob
Moderator's Comments:
Mod Comment
Please use code tags when posting data and code samples!
Last edited by vgersh99; 05-02-2011 at 02:23 PM.. Reason: code tags, please!
# 2  
Old 05-02-2011
something along these lines:
nawk -f melnik.awk mySysLong

melnik.awk:
Code:
BEGIN {
  qq=sprintf("%c", 034)
  strN=split("crip scrport dstip dstport", strA, FS)
}
{
  for(i=1; i<=strN;i++)
    if (match($0, strA[i])) {
       t=substr($0,RSTART+RLENGTH+2)
       match(t, "[^" qq "][^" qq "]*")
       s=substr(t,1, RSTART+RLENGTH-1)
       printf("%s : [%s]%c",  strA[i], s, (i==strN)?ORS:"|")
    }
}

# 3  
Old 05-02-2011
Code:
awk -F"[=[:blank:]]" '{for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

removing double quote around values:

Code:
awk -F"[=[:blank:]]" '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

use nawk instead of awk if on Solaris/SunOS
Last edited by ctsgnb; 05-02-2011 at 03:16 PM..
# 4  
Old 05-02-2011
Thank you
wow, thank you for this information. I had no idea about the full syntax usage of any of those commands. Talk about a head start in learning scripting. I am speechless.

thanks again,
bob

I've run into a strange situation. When I run the scripts using mobaxterm, everything is fine. However, when I run it under Ubuntu, I see no output. It is moving the cursor but zero output. When I pipe it to an output file, nothing is written to it.

bob
Last edited by rmelnik; 05-03-2011 at 02:31 PM..
# 5  
Old 05-04-2011
I suspect your awk doesn't support multiple Field separator definition so it just put the whole line in $1 that is the reason why you only get blank lines returned.

On your Ubuntu machine, try replacing "awk" with "gawk" :

Code:
gawk -F"[=[:blank:]]" '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}' yourlogfile

ou can alternately try (with your ubuntu standard awk)

Code:
sed 's/  */=/g;s/=/ /g' yourlogfile | awk '{gsub("\"",x,$0);for(i=1;i<=NF;i++) if($i~/scrip|scrport|dstip|dstport/) printf $(i+1)" ";printf "\n"}'

Last edited by ctsgnb; 05-04-2011 at 04:50 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

1 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Parsing syslog from Linux

Hello, I'm facing problem to extract fields from below syslog : logver=56 idseq=63256900099118326 itime=1563205190 devid=FG-5KDTB18800138 devname=LAL-C1-FGT-03 vd=USER date=2019-07-15 time=18:39:49 logid="0000000013" type="traffic" subtype="forward" level="notice" eventtime=1563205189... (17 Replies)
Discussion started by: arm
17 Replies
Login or Register to Ask a Question