如何从日志文件中检索IP地址的计数?
如何从日志文件中检索IP地址的计数?
提问于 2018-12-03 01:54:03
我正在检查一个日志文件以检索ip地址,再加上日志失败了多少次。这就是我的日志文件的样子:
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173 现在,我还想检查日志被接受了多少次。这个想法是为了获得一个关于野蛮强制攻击的概述。
我该如何扩展
sed -nr '/Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c 也要检查已接受的密码吗?有点像
sed -nr '/Accepted|Failed/{s/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/;p}'| sort | uniq -c 但是,与其在接受和失败之间有一个“或”,我希望得到一个如下所示的计数结果:
123.53.163.22 3 2(列为: IP地址、总失败、总接受)
回答 1
Unix & Linux用户
回答已采纳
发布于 2018-12-05 09:01:52
鉴于样本不足..。
cat horbaje
Feb 2 15:20:02 tank sshd[14870]: Failed password for root from 143.100.67.173 port 13356 ssh2
Feb 2 15:20:07 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:12 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:16 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:20 tank sshd[14874]: Failed password for root from 143.100.67.173 port 30595 ssh2
Feb 2 15:20:23 tank sshd[14874]: Accepted password for root from 143.100.67.173 我想这个能做你想做的:
awk '$6~/Failed/{a[$11][1]++}; $6~/Accepted/{a[$11][2]++} END{for(i in a){printf "%s\t%s\t%s\n",i,a[i][1],a[i][2]}}' horbaje
143.100.67.173 5 1页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/485650
复制相关文章
相似问题
腾讯云开发者
