Tip: Simple Regular Expressions For Reviewing Log Files - page 2
Cutting Through the Noise With grep
Crafting clever, complex regular expressions is quite fun, and a more worthy use of one's time than comatose drooling in front of "Reality TV." However, there are many simple searches that do the job just fine. You can search /var/log/auth.log quickly to see if anyone has made an inordinate number of failed login attempts. The -i option does a case-insensitive search:
$ grep -i "fail" /var/log/auth.log
Sep 13 16:26:34 server02 PAM_unix'27462': authentication failure; (uid=0) -> root for
Sep 13 16:26:36 server02 sshd'27462': Failed password for root from 220.127.116.11 port
Sep 13 16:26:38 server02 PAM_unix'27464': authentication failure; (uid=0) -> root for
Sep 13 16:26:40 server02 sshd'27464': Failed password for root from 18.104.22.168 port
Well well, someone came a' knockin' on the SSH (secure shell) door. Knowledge is power — at this point, you could fine-tune your iptables to drop packets from the originating IP, or you could do a little sleuthing to find the source, or you could create a nice honeypot and amuse yourself trapping the no-good person trying to get into your system. You can even count the number of attempts:
$ grep "22.214.171.124" /var/log/auth.log | wc -l 8656
That's a rather persistent little twit, I'd say.
Syslog, The Dumping Ground
The syslog — /var/log/syslog — is a dumping ground for log entries from all kinds of daemons, such as Samba and cron:
$ grep -i samba /var/log/syslog
Sep 13 08:50:47 windbag nmbd'1123':
become_logon_server_success: Samba is now a logon server for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:50:51 windbag nmbd'1123':
Samba server WINDBAG is now a domain master browser for workgroup HOMENET on subnet 192.168.1.5
Sep 13 08:51:06 windbag nmbd'1123':
Samba name server WINDBAG is now a local master browser for workgroup HOMENET on subnet 192.168.1.5
$ grep -i cron /var/log/syslogAug 18 21:18:01
(amavis) CMD (test -e /usr/bin/sa-
learn && test -e /usr/sbin/amavisd-new && /usr/bin/sa-learn —rebuild >/dev/null 2>&1)
These two snippets demonstrate that you can verify that certain Samba functions are working correctly, and that your cron jobs are running when you want.
Another useful item in /var/log/syslog is those strange-looking MARK messages:
Sep 13 19:10:30 windbag — MARK — Sep 13 19:30:30 windbag — MARK — Sep 13 19:50:30 windbag — MARK —
This is where you find out if your system rebooted during the night when it wasn't supposed to; the MARK sequence will be interrupted, and you'll see shutdown and startup messages.
- See the man pages for grep, cut, and wc.
- Linux in a Nutshell, by Ellen Siever, is my #1 indispensable Linux command reference
Article courtesy of Enterprise Networking Planet, originally published September 15, 2004