« previous next »
Pages: 1

Author Topic: grep, awk, wc, and such  (Read 851 times)

Uturn

  • Pencil Stache
  • ****
  • Posts: 894
  • Age: 55
  • Location: Raleigh, NC
grep, awk, wc, and such
« on: September 26, 2020, 07:58:27 PM »
I have a firewall sending logs to an RPi syslog.

2020-09-26T21:37:10.723358-04:00 172.18.1.10 date=2020-09-26 time=21:37:10 devname="FWF60FTK20001328" devid="FWF60FTK20001328" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1601170630 srcip=172.18.1.45 srcport=11471 srcintf="lan" srcintfrole="lan" dstip=54.86.131.217 dstport=443 dstintf="wan1" dstintfrole="wan" poluuid="b8f7ffdc-fdce-51ea-ebb2-c3396d04084e" sessionid=103496 proto=6 action="accept" policyid=3 policytype="policy" service="HTTPS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=174.99.24.180 transport=11471 duration=108186 sentbyte=578200 rcvdbyte=851567 sentpkt=10222 rcvdpkt=5945 appcat="unscanned" sentdelta=590 rcvddelta=360

I am trying to find a way to get a query of srcip, dstip, action=!allow and a count of dstport
Logged

bacchi

  • Walrus Stache
  • *******
  • Posts: 7805
Re: grep, awk, wc, and such
« Reply #1 on: September 26, 2020, 08:12:57 PM »
egrep will let you use regex. -o will look for only the match.

grep -E -o "srcip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" foo.log

You can then use a | for multiple regex.

grep -E -o "srcip=([0-9]{1,3}[\.]){3}[0-9]{1,3}|dstip=([0-9]{1,3}[\.]){3}[0-9]{1,3}" foo.log

For the count in the same regex? Got me. Make a shell script and add a 2nd line, "grep -c dstport foo.txt"?
Logged

PDXTabs

  • Walrus Stache
  • *******
  • Posts: 5160
  • Age: 42
  • Location: Vancouver, WA, USA
Re: grep, awk, wc, and such
« Reply #2 on: September 27, 2020, 09:41:02 AM »
For stuff like that I usually just use python (or back in the day, perl).
Logged

sherr

  • Handlebar Stache
  • *****
  • Posts: 1541
  • Age: 39
  • Location: North Carolina, USA
Re: grep, awk, wc, and such
« Reply #3 on: September 29, 2020, 09:25:05 AM »
Lol, StackOverflow is probably a better forum for questions like these.

So you want the report to include unique (srcip, dstip) and a count for disallowed actions? Agreed that something like a python script is going to be the easiest thing. It's probably possible to do it in awk, but I certainly couldn't tell you how off the top of my head. Perhaps something like this (untested):

Code: [Select]
from collections import defaultdict
disallowed_count = defaultdict(int)  # new entries in the dicitonary initialize the count at 0
with open('input.log', 'r') as f:
    for line in f:
        src, dst, action = None, None, None
        for keyvalue in line.split():
            key, _, value = keyvalue.partition('=')
            if key == 'srcip':
                src = value
            elif key == 'dstip':
                dst = value
            elif key == 'action':
                action = value
        if src and dst and action and action == '!allow':
            disallowed_count[(src, dst)] += 1

for (src, dst), count in disallowed_count.items():
    print(src, dst, count)
« Last Edit: September 29, 2020, 09:27:43 AM by sherr »
Logged

Uturn

  • Pencil Stache
  • ****
  • Posts: 894
  • Age: 55
  • Location: Raleigh, NC
Re: grep, awk, wc, and such
« Reply #4 on: September 29, 2020, 09:50:22 AM »
I messed with it a bit more yesterday, then just decided to export to csv and create a pivot table in Excel.
Logged
Pages: 1
« previous next »