Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

RSYSLOG reports

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting RSYSLOG reports
# 8  
Old 09-29-2015
Java
Thank you very much all for prompt response

Can some one please help me this logic If i want to include in the code "Failed password" string,how to add that.

Code:
Sep 28 17:16:37 samplehostname sshd[32092]: subsystem request for sftp
Sep 28 18:21:30 samplehostname sshd[23278]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:27:31 samplehostname sshd[30298]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname sshd[21016]: pam_unix(sshd:session): session closed for user oracle
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:39:57 samplehostname su: pam_unix(su:session): session closed for user root
Sep 28 19:58:41 samplehostname sshd[32092]: pam_unix(sshd:session): session closed for user root
Sep 29 11:05:59 samplehostname sshd[4368]: Accepted password for oracle from 10.99.22.123 port 61494 ssh2
Sep 29 11:05:59 samplehostname sshd[4368]: pam_unix(sshd:session): session opened for user oracle by (uid=0)
Sep 29 11:09:59 samplehostname su: pam_unix(su:session): session opened for user root by oracle(uid=501)
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2
Sep 29 12:24:36 samplehostname sshd[6855]: Failed password for oracle from 10.225.124.234 port 54622 ssh2

Code:
awk '
        BEGIN {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /Accepted password/ {
                printf "%-15s\t%-15s\%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

Last edited by Corona688; 09-30-2015 at 12:25 PM..
# 9  
Old 09-29-2015
Quote:
Originally Posted by ahmed.vaghar
[..]

Can some one please help me this logic If i want to include in the code "Failed password" string,how to add that.

Code:
awk '
        BEGIN {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /Accepted password/ {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

The easier way would be
Code:
awk '
        BEGIN {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME"
        }
        /(Accepted|Failed) password/ {
                printf "%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3
        }
' OFS='\t' rsyslog_file

... But then you would not know who was successful in login in and who was not.
Perhaps another modification is necessary.
Code:
awk '
        BEGIN {
                printf "%-15s\t%-15s\t%-15s\t%-15s\t%-15s\n", "HOST", "USER", "FROM", "TIME", "STATUS"
        }
        /(Accepted|Failed) password/ {
                printf "%-15s\t%-15s\t%-15s\t%-15s\t%-15s\n", $4, $9, $11, $1 FS $2 FS $3, $6
        }
' OFS='\t' rsyslog_file

This was modified on the fly and I did not test it.
# 10  
Old 09-30-2015
Java
Thanks Aia will try from my end and let you in know soon.

Regards,
# 11  
Old 10-01-2015
Thanks Alia it resolved
Login or Register to Ask a Question

Previous Thread | Next Thread

3 More Discussions You Might Find Interesting

1. Red Hat

intodns.com reports old IP

Hello, I have this problem: I have a domain which worked well until my ISP changed my ip. Since then my DNS is not working, and intodns.com reports still the old IP. The DNS remains the same. I made changes in named.conf, in ifcfg-Auto_eth0, I flushed the cache but it;s the same thing. What... (6 Replies)
Discussion started by: doe_ro
6 Replies

2. UNIX for Advanced & Expert Users

Why command df and du reports different output?

There a mismatch between df and du outputs Both df and du reporting different output. It is confusing. the answer that I get is that Open file descriptor is main causes of such wrong information. For example if file is open by third party application OR by a user and same file is deleted, both... (3 Replies)
Discussion started by: ynixon
3 Replies

3. HP-UX

Hp-ux 11.11 and Oracle reports

HI I am battling to find why oracle reports dont work from the Oracle applications and work from the Command line Finally, whern these reports error out in the Oracle apps, I see the error that the x server killed the process. Please let me know if any one has some chi-chi sheet on the os setup... (1 Reply)
Discussion started by: schilukuri
1 Replies
Login or Register to Ask a Question