Tip: Simple Regular Expressions For Reviewing Log Files - page 2
Cutting Through the Noise With grep
Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search /var/log/auth.log quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log
Sep 13 16:26:34 server02 PAM_unix'27462': authentication failure; (uid=0) -> root for
Sep 13 16:26:36 server02 sshd'27462': Failed password for root from 188.8.131.52 port
Sep 13 16:26:38 server02 PAM_unix'27464': authentication failure; (uid=0) -> root for
Sep 13 16:26:40 server02 sshd'27464': Failed password for root from 184.108.40.206 port
Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power — at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:
$ grep "220.127.116.11" /var/log/auth.log | wc -l 8656
That's a rather persistent little twit, I'd say.
Syslog, The Dumping Ground
The syslog — /var/log/syslog — is a dumping ground for log entries from all kinds of daemons, such as Samba and cron:
$ grep -i samba /var/log/syslog
Sep 13 08:50:47 windbag nmbd'1123':
become_logon_server_success: Samba is now a logon server for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:50:51 windbag nmbd'1123':
Samba server WINDBAG is now a domain master browser for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:51:06 windbag nmbd'1123':
Samba name server WINDBAG is now a local master browser for workgroup HOMENET on subnet 192.168.1.5
$ grep -i cron /var/log/syslogAug 18 21:18:01
(amavis) CMD (test -e /usr/bin/sa-
learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn —rebuild >/dev/null 2>&1)
These two snippets demonstrate that you can verify that certain Samba functions are working correctly, and that your cron jobs are running when you want.
Another useful item in /var/log/syslog is those strange-looking MARK messages:
Sep 13 19:10:30 windbag — MARK — Sep 13 19:30:30 windbag — MARK — Sep 13 19:50:30 windbag — MARK —
This is where you find out if your system rebooted during the night when it wasn't supposed to; the MARK sequence will be interrupted, and you'll see shutdown and startup messages.
- See the man pages for grep, cut, and wc.
- Linux in a Nutshell, by Ellen Siever, is my #1 indispensable Linux command reference
Article courtesy of Enterprise Networking Planet, originally published September 15, 2004
Sponsored by BlackBerry
BlackBerry® Enterprise Server Express enables businesses of any size to quickly and easily get started with the BlackBerry solution. It provides advanced BlackBerry smartphone features with no additional software or user license fees, and works with any Internet-enabled BlackBerry data plan or a BlackBerry enterprise data plan. Download now!