Re: awk substitute

17/08/2006, 10h10

Hi Michael,
I try your shell script but the results is not good ...

~$ grep "Failed password" /var/log/authlog |tail -5 | while read line; do
set -f; set -- $line; echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"; done
Aug 12 23:28:53 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
Aug 12 23:28:54 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
Aug 12 23:28:55 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
Aug 12 23:28:56 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
Aug 12 23:28:57 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)

Do you know where is the problem please ?

JB

"Michael Tosch" <eedmit@NO.eed.SPAM.ericsson.PLS.se> wrote in message
news:ebvmpm$iqh$1@aken.eed.ericsson.se...
> Jan Burdil wrote:
>> Hello,
>> I am trying to filter some logs from sshd daemon.
>>
>> ~$ grep "Failed password" /var/log/authlog |tail -5 |awk '{print
>> $1,$2,$3,$9,$10,$11,$12,$13}'
>> Aug 12 23:28:53 invalid user user from 80.74.149.39
>> Aug 12 23:28:54 invalid user root from 80.74.149.39
>> Aug 12 23:28:55 invalid user root from 80.74.149.39
>> Aug 12 23:28:56 invalid user root from 80.74.149.39
>> Aug 12 23:28:57 invalid user test from 80.74.149.39
>> ~$
>>
>> How can I substitute $13 ( the ip address ) with command "host $13"
>> I would like to see the full domain name not the ip address ...
>>
>> Thank you
>> Jan Burdil
>>
>>
>
> You can stay in the shell:
>
> grep "Failed password" /var/log/authlog |tail -5 |
> while read line
> do
> set -f
> set -- $line
> echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"
> done
>
>
> --
> Michael Tosch @ hp : com

17/08/2006, 14h04

Jan Burdil wrote:
> Hi Michael,
> I try your shell script but the results is not good ...
>
> ~$ grep "Failed password" /var/log/authlog |tail -5 | while read line; do
> set -f; set -- $line; echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"; done
> Aug 12 23:28:53 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
> Aug 12 23:28:54 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
> Aug 12 23:28:55 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
> Aug 12 23:28:56 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
> Aug 12 23:28:57 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN)
>
> Do you know where is the problem please ?
>
> JB
>
>
>
> "Michael Tosch" <eedmit@NO.eed.SPAM.ericsson.PLS.se> wrote in message
> news:ebvmpm$iqh$1@aken.eed.ericsson.se...
>> Jan Burdil wrote:
>>> Hello,
>>> I am trying to filter some logs from sshd daemon.
>>>
>>> ~$ grep "Failed password" /var/log/authlog |tail -5 |awk '{print
>>> $1,$2,$3,$9,$10,$11,$12,$13}'
>>> Aug 12 23:28:53 invalid user user from 80.74.149.39
>>> Aug 12 23:28:54 invalid user root from 80.74.149.39
>>> Aug 12 23:28:55 invalid user root from 80.74.149.39
>>> Aug 12 23:28:56 invalid user root from 80.74.149.39
>>> Aug 12 23:28:57 invalid user test from 80.74.149.39
>>> ~$
>>>
>>> How can I substitute $13 ( the ip address ) with command "host $13"
>>> I would like to see the full domain name not the ip address ...
>>>
>>> Thank you
>>> Jan Burdil
>>>
>>>
>> You can stay in the shell:
>>
>> grep "Failed password" /var/log/authlog |tail -5 |
>> while read line
>> do
>> set -f
>> set -- $line
>> echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"
>> done
>>
>>

Please don't top post in News threads!

I see now that positional parameters are limited to $1...$9,
and $10 is treated as {$1}0.

So the shell code must changed to:

grep "Failed password" /var/log/authlog |tail -5 |
while read a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14
do
echo "$a1 $a2 $a3 $a9 $a10 $a11 $a12 `host "$a13"`"
done

--
Michael Tosch @ hp : com

17/08/2006, 15h43

On 2006-08-17, Michael Tosch wrote:
>>>
>>> grep "Failed password" /var/log/authlog |tail -5 |
>>> while read line
>>> do
>>> set -f
>>> set -- $line
>>> echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"
>>> done
>
> I see now that positional parameters are limited to $1...$9,

In a Bourne shell one can opnly access the first 9 positional
parameters. In a POSIX shell, all are accessible, but those with
double digits must be enclosed in braces:

echo "$1 $2 $3 $9 ${10} ${11} ${12} `host ${13}`"

> and $10 is treated as {$1}0.

You mean, ${1}0.

> So the shell code must changed to:
>
> grep "Failed password" /var/log/authlog |tail -5 |
> while read a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14
> do
> echo "$a1 $a2 $a3 $a9 $a10 $a11 $a12 `host "$a13"`"
> done

--
Chris F.A. Johnson, author <http://cfaj.freeshell.org>
Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)
===== My code in this post, if any, assumes the POSIX locale
===== and is released under the GNU General Public Licence

17/08/2006, 17h49

Michael Tosch wrote:
> Please don't top post in News threads!

Please cut unnecessary cruft from the original post!

MatÄ›j

--
GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC
http://www.ceplovi.cz/matej/blog/, Jabber: ceplma@jabber.cz
23 Marion St. #3, (617) 876-1259, ICQ 132822213

[W]hat country can preserve its liberties, if its rulers are not
warned from time to time that [the] people preserve the spirit of
resistance? Let them take arms...The tree of liberty must be
refreshed from time to time, with the blood of patriots and
tyrants.
-- Thomas Jefferson, letter to Col. William S. Smith, 1787

17/08/2006, 18h19

Matej Cepl <ceplm@seznam.cz> wrote:
> Michael Tosch wrote:
>> Please don't top post in News threads!
>
> Please cut unnecessary cruft from the original post!
>
> --
> GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC
> http://www.ceplovi.cz/matej/blog/, Jabber: ceplma@jabber.cz
> 23 Marion St. #3, (617) 876-1259, ICQ 132822213
>
> [W]hat country can preserve its liberties, if its rulers are not
> warned from time to time that [the] people preserve the spirit of
> resistance? Let them take arms...The tree of liberty must be
> refreshed from time to time, with the blood of patriots and
> tyrants.
> -- Thomas Jefferson, letter to Col. William S. Smith, 1787

Please trim your signature.

--
Daniel

17/08/2006, 19h50

Matej Cepl <ceplm@seznam.cz> writes:

> Michael Tosch wrote:
>> Please don't top post in News threads!
>
> Please cut unnecessary cruft from the original post!
>

That's your job. It takes you 5 seconds to do, and it makes 50,000 of
us save time. Not all of us read in a window that holds 200 lines. A
lot of times I have to scroll down several pages to see the response,
only to find out it was a one-line response at the top that was't well
marked. So I have to scroll back up again. Then I have to scroll down
again to read what the top poster was talking about.

--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.

17/08/2006, 10h10	#1
Jan Burdil Messages: n/a Hébergeur:	Re: awk substitute Hi Michael, I try your shell script but the results is not good ... ~$ grep "Failed password" /var/log/authlog \|tail -5 \| while read line; do set -f; set -- $line; echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"; done Aug 12 23:28:53 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) Aug 12 23:28:54 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) Aug 12 23:28:55 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) Aug 12 23:28:56 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) Aug 12 23:28:57 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) Do you know where is the problem please ? JB "Michael Tosch" <eedmit@NO.eed.SPAM.ericsson.PLS.se> wrote in message news:ebvmpm$iqh$1@aken.eed.ericsson.se... > Jan Burdil wrote: >> Hello, >> I am trying to filter some logs from sshd daemon. >> >> ~$ grep "Failed password" /var/log/authlog \|tail -5 \|awk '{print >> $1,$2,$3,$9,$10,$11,$12,$13}' >> Aug 12 23:28:53 invalid user user from 80.74.149.39 >> Aug 12 23:28:54 invalid user root from 80.74.149.39 >> Aug 12 23:28:55 invalid user root from 80.74.149.39 >> Aug 12 23:28:56 invalid user root from 80.74.149.39 >> Aug 12 23:28:57 invalid user test from 80.74.149.39 >> ~$ >> >> How can I substitute $13 ( the ip address ) with command "host $13" >> I would like to see the full domain name not the ip address ... >> >> Thank you >> Jan Burdil >> >> > > You can stay in the shell: > > grep "Failed password" /var/log/authlog \|tail -5 \| > while read line > do > set -f > set -- $line > echo "$1 $2 $3 $9 $10 $11 $12 `host $13`" > done > > > -- > Michael Tosch @ hp : com

17/08/2006, 14h04	#2
Michael Tosch Messages: n/a Hébergeur:	Re: awk substitute Jan Burdil wrote: > Hi Michael, > I try your shell script but the results is not good ... > > ~$ grep "Failed password" /var/log/authlog \|tail -5 \| while read line; do > set -f; set -- $line; echo "$1 $2 $3 $9 $10 $11 $12 `host $13`"; done > Aug 12 23:28:53 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) > Aug 12 23:28:54 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) > Aug 12 23:28:55 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) > Aug 12 23:28:56 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) > Aug 12 23:28:57 invalid Aug0 Aug1 Aug2 Host Aug3 not found: 3(NXDOMAIN) > > Do you know where is the problem please ? > > JB > > > > "Michael Tosch" <eedmit@NO.eed.SPAM.ericsson.PLS.se> wrote in message > news:ebvmpm$iqh$1@aken.eed.ericsson.se... >> Jan Burdil wrote: >>> Hello, >>> I am trying to filter some logs from sshd daemon. >>> >>> ~$ grep "Failed password" /var/log/authlog \|tail -5 \|awk '{print >>> $1,$2,$3,$9,$10,$11,$12,$13}' >>> Aug 12 23:28:53 invalid user user from 80.74.149.39 >>> Aug 12 23:28:54 invalid user root from 80.74.149.39 >>> Aug 12 23:28:55 invalid user root from 80.74.149.39 >>> Aug 12 23:28:56 invalid user root from 80.74.149.39 >>> Aug 12 23:28:57 invalid user test from 80.74.149.39 >>> ~$ >>> >>> How can I substitute $13 ( the ip address ) with command "host $13" >>> I would like to see the full domain name not the ip address ... >>> >>> Thank you >>> Jan Burdil >>> >>> >> You can stay in the shell: >> >> grep "Failed password" /var/log/authlog \|tail -5 \| >> while read line >> do >> set -f >> set -- $line >> echo "$1 $2 $3 $9 $10 $11 $12 `host $13`" >> done >> >> Please don't top post in News threads! I see now that positional parameters are limited to $1...$9, and $10 is treated as {$1}0. So the shell code must changed to: grep "Failed password" /var/log/authlog \|tail -5 \| while read a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 do echo "$a1 $a2 $a3 $a9 $a10 $a11 $a12 `host "$a13"`" done -- Michael Tosch @ hp : com

17/08/2006, 17h49	#4
Matej Cepl Messages: n/a Hébergeur:	Re: awk substitute Michael Tosch wrote: > Please don't top post in News threads! Please cut unnecessary cruft from the original post! MatÄ›j -- GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC http://www.ceplovi.cz/matej/blog/, Jabber: ceplma@jabber.cz 23 Marion St. #3, (617) 876-1259, ICQ 132822213 [W]hat country can preserve its liberties, if its rulers are not warned from time to time that [the] people preserve the spirit of resistance? Let them take arms...The tree of liberty must be refreshed from time to time, with the blood of patriots and tyrants. -- Thomas Jefferson, letter to Col. William S. Smith, 1787

17/08/2006, 18h19	#5
Daniel Rock Messages: n/a Hébergeur:	Re: awk substitute Matej Cepl <ceplm@seznam.cz> wrote: > Michael Tosch wrote: >> Please don't top post in News threads! > > Please cut unnecessary cruft from the original post! > > -- > GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC > http://www.ceplovi.cz/matej/blog/, Jabber: ceplma@jabber.cz > 23 Marion St. #3, (617) 876-1259, ICQ 132822213 > > [W]hat country can preserve its liberties, if its rulers are not > warned from time to time that [the] people preserve the spirit of > resistance? Let them take arms...The tree of liberty must be > refreshed from time to time, with the blood of patriots and > tyrants. > -- Thomas Jefferson, letter to Col. William S. Smith, 1787 Please trim your signature. -- Daniel

17/08/2006, 19h50	#6
Bruce Barnett Messages: n/a Hébergeur:	Re: awk substitute Matej Cepl <ceplm@seznam.cz> writes: > Michael Tosch wrote: >> Please don't top post in News threads! > > Please cut unnecessary cruft from the original post! > That's your job. It takes you 5 seconds to do, and it makes 50,000 of us save time. Not all of us read in a window that holds 200 lines. A lot of times I have to scroll down several pages to see the response, only to find out it was a one-line response at the top that was't well marked. So I have to scroll back up again. Then I have to scroll down again to read what the top poster was talking about. -- Sending unsolicited commercial e-mail to this account incurs a fee of $500 per message, and acknowledges the legality of this contract.

17/08/2006, 15h43	#3
Chris F.A. Johnson Messages: n/a Hébergeur:	Re: awk substitute On 2006-08-17, Michael Tosch wrote: >>> >>> grep "Failed password" /var/log/authlog \|tail -5 \| >>> while read line >>> do >>> set -f >>> set -- $line >>> echo "$1 $2 $3 $9 $10 $11 $12 `host $13`" >>> done > > I see now that positional parameters are limited to $1...$9, In a Bourne shell one can opnly access the first 9 positional parameters. In a POSIX shell, all are accessible, but those with double digits must be enclosed in braces: echo "$1 $2 $3 $9 ${10} ${11} ${12} `host ${13}`" > and $10 is treated as {$1}0. You mean, ${1}0. > So the shell code must changed to: > > grep "Failed password" /var/log/authlog \|tail -5 \| > while read a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14 > do > echo "$a1 $a2 $a3 $a9 $a10 $a11 $a12 `host "$a13"`" > done -- Chris F.A. Johnson, author <http://cfaj.freeshell.org> Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress) ===== My code in this post, if any, assumes the POSIX locale ===== and is released under the GNU General Public Licence

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email