February 20, 2019

Tip: Simple Regular Expressions For Reviewing Log Files - page 2

Cutting Through the Noise With grep

  • November 19, 2008
  • By Carla Schroder

Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search /var/log/auth.log quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:

$ grep -i "fail" /var/log/auth.log
Sep 13 16:26:34 server02 PAM_unix'27462': authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:36 server02 sshd'27462': Failed password for root from port
3210 ssh2
Sep 13 16:26:38 server02 PAM_unix'27464': authentication failure; (uid=0) -> root for
ssh service
Sep 13 16:26:40 server02 sshd'27464': Failed password for root from port
3210 ssh2

Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power — at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:

$ grep "" /var/log/auth.log | wc -l

That's a rather persistent little twit, I'd say.

Syslog, The Dumping Ground

The syslog — /var/log/syslog — is a dumping ground for log entries from all kinds of daemons, such as Samba and cron:

$ grep -i samba /var/log/syslog
Sep 13 08:50:47 windbag nmbd'1123':
become_logon_server_success: Samba is now a logon server for workgroup HOMENET on subnet
Sep 13 08:50:51 windbag nmbd'1123':
Samba server WINDBAG is now a domain master browser for workgroup HOMENET on subnet
Sep 13 08:51:06 windbag nmbd'1123':
Samba name server WINDBAG is now a local master browser for workgroup HOMENET on subnet

$ grep -i cron /var/log/syslogAug 18 21:18:01
windbag /USR/SBIN/CRON'1752':
(amavis) CMD (test -e /usr/bin/sa-
learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn —rebuild >/dev/null 2>&1)

These two snippets demonstrate that you can verify that certain Samba functions are working correctly, and that your cron jobs are running when you want.

Another useful item in /var/log/syslog is those strange-looking MARK messages:

Sep 13 19:10:30 windbag — MARK —
Sep 13 19:30:30 windbag — MARK —
Sep 13 19:50:30 windbag — MARK —

This is where you find out if your system rebooted during the night when it wasn't supposed to; the MARK sequence will be interrupted, and you'll see shutdown and startup messages.


  • See the man pages for grep, cut, and wc.
  • Linux in a Nutshell, by Ellen Siever, is my #1 indispensable Linux command reference

Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook, and is the managing editor of LinuxPlanet.

Article courtesy of Enterprise Networking Planet, originally published September 15, 2004

Most Popular LinuxPlanet Stories