Wednesday, May 14, 2008

I will confess to being nearly a complete loser when it comes to successfully implementing sed, awk and regex. to search logs. I usually end up parsing my Authlogs with something really clueless like:

(IP Address and Port of invalid users with failed passwords)

$ grep "Failed password for invalid user" Sampleauthlog.txt | cut -b 75-110| uniq
from 202.163.221.227 port 43985 ssh
from 202.163.221.227 port 44553 ssh2
...

or (the IP Address of valid users with failed passwords )

$ grep Failed Sampleauthlog | grep -v invalid | awk '{print $11}'| uniq -c
5 202.163.221.227

I have some idea that I can break down each time, user, IP address, port, ssh type into a typical Powershell objects and do more informative and complex queries, but this needed some work:

$var=Select-string Failed SampleAuthlog.txt | Where-object {$_ -match "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"}

PS D:\Microsoft\Powershell> $var
SampleAuthlog.txt:3:Apr 26 01:20:29 rmfbsd sshd[30534]: Failed password for invalid user test5 from 202.163.221.227 port 43985 ssh2
SampleAuthlog.txt:5:Apr 26 01:20:32 rmfbsd sshd[11478]: Failed password for root from 202.163.221.227 port 44267 ssh2
....

Select-object $var
Select-Object : Cannot convert System.Management.Automation.PSObject to one of the following types {System.String, System.Management.Automation.ScriptBlock}.
At line:1 char:14.

One way around this is to massage a log file into a CSV format which AWK does easily, then use Powershell import-csv routine and manually add headers to the first line:

$ grep Failed authlog | grep -v invalid | awk '{print $1","$2","$3","$9","$11","$13,$15}'
Apr,26,01:20:32,root,202.163.221.227,44267
Apr,26,01:20:36,root,202.163.221.227,44411
...

$ grep Failed authlog | grep -v invalid | awk '{print $1","$2","$3","$9","$11","$13,$15}' >> /cygdrive/D/Microsoft/Powershell/Powershell.out


$PWSH = import-csv Powershell.csv
$PWSH | ft -auto
PS D:\Microsoft\Powershell> $PWSH | ft -auto

Month Day Time User IP Port
----- --- ---- ---- -- ----
Apr 26 01:20:32 root 202.163.221.227 44267
Apr 26 01:20:36 root 202.163.221.227 44411
Apr 26 01:20:47 root 202.163.221.227 44725
Apr 26 01:21:02 root 202.163.221.227 45354
...

Now we have part of an OPENBSD Authlog stored as a Powershell object. Thanks AWK!
Posted by Ryan M. Ferris at 11:02 AM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)