Tip: Simple Regular Expressions For Reviewing Log Files - page 2
Cutting Through the Noise With grep
Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search /var/log/auth.log quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log
...
Sep 13 16:26:34 server02 PAM_unix'27462': authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:36 server02 sshd'27462': Failed password for root from 12.34.45.67 port
3210 ssh2
Sep 13 16:26:38 server02 PAM_unix'27464': authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:40 server02 sshd'27464': Failed password for root from 12.34.45.67 port
3210 ssh2
...
Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power — at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:
$ grep "12.34.45.67" /var/log/auth.log | wc -l 8656
Digg
del.icio.us
Slashdot
DZone
Reddit
StumbleUpon
Facebook
FriendFeed
Furl
Newsvine
Google
LinkedIn
MySpace
Technorati
Twitter
Windows Live
YahooBuzzThat's a rather persistent little twit, I'd say.
Syslog, The Dumping Ground
The syslog — /var/log/syslog — is a dumping ground for log entries from all kinds of daemons, such as Samba and cron:
$ grep -i samba /var/log/syslog
Sep 13 08:50:47 windbag nmbd'1123':
become_logon_server_success: Samba is now a logon server for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:50:51 windbag nmbd'1123':
Samba server WINDBAG is now a domain master browser for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:51:06 windbag nmbd'1123':
Samba name server WINDBAG is now a local master browser for workgroup HOMENET on subnet 192.168.1.5
$ grep -i cron /var/log/syslogAug 18 21:18:01
windbag /USR/SBIN/CRON'1752':
(amavis) CMD (test -e /usr/bin/sa-
learn && test -e
/usr/sbin/amavisd-new && /usr/bin/sa-learn —rebuild >/dev/null 2>&1)
These two snippets demonstrate that you can verify that certain Samba functions are working correctly, and that your cron jobs are running when you want.
Another useful item in /var/log/syslog is those strange-looking MARK messages:
Sep 13 19:10:30 windbag — MARK — Sep 13 19:30:30 windbag — MARK — Sep 13 19:50:30 windbag — MARK —
This is where you find out if your system rebooted during the night when it wasn't supposed to; the MARK sequence will be interrupted, and you'll see shutdown and startup messages.
Resources
- See the man pages for grep, cut, and wc.
- Linux in a Nutshell, by Ellen Siever, is my #1 indispensable Linux command reference
Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook, and is the managing editor of LinuxPlanet.
Article courtesy of Enterprise Networking Planet, originally published September 15, 2004
- Skip Ahead
- 1. Cutting Through the Noise With grep
- 2. Cutting Through the Noise With grep
Solid state disks (SSDs) made a splash in consumer technology, and now the technology has its eyes on the enterprise storage market. Download this eBook to see what SSDs can do for your infrastructure and review the pros and cons of this potentially game-changing storage technology.
