Simple shell script for Security Log statistics in CentOS

Source: Internet
Author: User

Simple shell script for Security Log statistics in CentOS

Every time you sort out security logs, it is very troublesome. You can simply edit a script to count the total number of attacks per month, the total number of each attack type, and the top 10 ip addresses of attacks, and recorded in an excel document. Thank you for your attention.

The log format is as follows:

Sensitive customer information is processed.

The following are specific explanations:

#! /Bin/bash

Read-p "please input the path of your logfiles, The Default is current path.

(Warning: Do not exists any other files !) : "Path # accept user input with path variable

Echo "The tool is working, it's depends on your file size. the pid is $, please wait... "# $ indicates the process Number of the current Working Process. Here, it indicates the process number that the shell is working on.

Countf1_statisticslog.xls # define the last generated file

If [-n "$ path"] #-n test whether the path variable value is not empty

Then

Directory = $ path

Else

Directory = $ PWD # store variable values in directory

Fi

For file in $ directory/* # use the file variable to loop all files in the path. Therefore, the system prompts that the user cannot have other files except the log file and the file.

Do

If ["$ file "! = "$ Directory/*"] # test whether the file variable is just the input path name

Then

Cat $ file> "temp.txt" 2>/dev/null # ">" # indicates that the content is appended to a new file. This indicates that the content is appended to the temporary temp.txt file. This indicates that all work in the temporary file is performed. after completion

# Will automatically delete the following:

#2>/dev/null indicates no error message is displayed./dev/null

# A bottomless pit

Else

Echo "There are no files in your input path! "& Exit 1 # make an error and exit

Fi

Done

Sed-I '/^ [^ 0-9]/d' temp.txt # Remove the rows starting with a non-number.-I is executed directly without being output to the screen, ^ [^ 0-9] Regular Expression matching a row that does not start with a number d indicates deleting/^ [^ 0-9]/d Indicates deleting a row that does not start with a number

Sed-I '/^ $/d' temp.txt # Remove empty rows ^ $ is the result of a regular expression representing empty rows

Printf "This section is the total attacks order by month: \ n" >>$ countf # ">>>" the same applies to the predefined statisticslog.xls file.

Printf "Mounth \ tSum \ n"> $ countf

# The following statistics show the total number of attacks per month and sort them.

Awk 'in in {FS = "-" ;}{ a [$2] + = 1 ;}end {for (I in) printf ("% d \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2> $ countf

# Awk: The work in braces after BEGIN indicates to define the domain Separator of each row before awk processes each row. It is not set to space by default. Here "-" is used as the division of each field.

# The braces in the middle indicate that each line of work is used here to count the total number of attacks per month. For example, 2013-01-03 $2 indicates that the second domain is 01 $0 and all are 2013-01-03.

# The END braces indicate that each row is processed by the awk. Here, every element in array a is traversed, that is, the month is printed on the screen. \ t stands for the tab. \ n stands for the carriage return.

# Sort is sorting-n indicates sorting by numbers. For example, if 2 and 10 do not add-n, the 10 will be placed before 2.-r is inverted.-k indicates sorting by the second field. Here we use the sum attack Count sorting

Printf "\ n ************************************ * ****************** \ n "> $ countf

Printf "This section is the total attacks order by ip, it's top 10: \ n" >>$ countf

Printf "ip \ tSum \ n"> $ countf

# The following statistics show the total number of attacks for each ip address and rank the top 10 attacks.

Awk '{a [$4] + = 1;} END {for (I in a) printf ("% s \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2 | head-10 >>> countf

# Head-n # display the first n rows

Printf "\ n ************************************ * ****************** \ n "> $ countf

Printf "This section is the total attacks order by sort, it's top 10: \ n" >>$ countf

Printf "sort \ tSum \ n"> $ countf

# The following statistics show the total number of attacks for each attack type and rank the top 10 attacks.

Awk 'in in {FS = "'/'' "} {a [$2] + = 1;} END {for (I in) printf ("% s \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2 | head-10 >>> countf

# Note that single quotes are used as separators to retrieve the form in BEGIN, the full name of the attack type.

# This is because single quotes use string output directly, blocking all special characters. Therefore, use a pair of single quotes to ensure that/'is not escaped, and then use/To Represent' through the outer double quotes.

# Of course, the following is a better understanding

# Awk-F "'"' {a [$2] + = 1;} END {for (I in a) printf ("% s \ t % d \ n ", i, a [I]);} 'temp.txt | sort-nr-k 2 | head-10> $ countf

#-F is also used to set domain delimiters. In shell, double quotation marks are not strict with single quotation marks, which will explain the meaning of special characters.

Rm-rf temp.txt # Delete temporary files

Echo "It's finished, enjoy your job! "& Exit 0 # successful exit 0 indicates that the execution is successful. 0 indicates that the execution is successful. 1 indicates that the execution fails.

* ******************************** I am a happy line of separation *** **********************************

The script is as follows:

#! /Bin/bash

# Made by ameng

Read-p "please input the path of your logfiles, The Default is current path.

(Warning: Do not exists any other files !) : "Path

Echo "The tool is working, it's depends on your file size. The pid is $, please wait ..."

Countf1_statisticslog.xls

If [-n "$ path"]

Then

Directory = $ path

Else

Directory = $ PWD

Fi

For file in $ directory /*

Do

If ["$ file "! = "$ Directory/*"]

Then

Cat $ file> "temp.txt" 2>/dev/null

Else

Echo "There are no files in your input path! "& Exit 1

Fi

Done

Sed-I '/^ [^ 0-9]/d' temp.txt

Sed-I '/^ $/d' temp.txt

Printf "This section is the total attacks order by month: \ n" >>$ countf

Printf "Mounth \ tSum \ n"> $ countf

Awk 'in in {FS = "-" ;}{ a [$2] + = 1 ;}end {for (I in) printf ("% d \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2> $ countf

Printf "\ n ************************************ * ****************** \ n "> $ countf

Printf "This section is the total attacks order by ip, it's top 10: \ n" >>$ countf

Printf "ip \ tSum \ n"> $ countf

Awk '{a [$4] + = 1;} END {for (I in a) printf ("% s \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2 | head-10 >>> countf

Printf "\ n ************************************ * ****************** \ n "> $ countf

Printf "This section is the total attacks order by sort, it's top 10: \ n" >>$ countf

Printf "sort \ tSum \ n"> $ countf

Awk 'in in {FS = "'\ '''"} {a [$2] + = 1;} END {for (I in) printf ("% s \ t % d \ n", I, a [I]);} 'temp.txt | sort-nr-k 2 | head-10 >>> countf

Rm-rf temp.txt

Echo "It's finished, enjoy your job! "& Exit 0

The result is as follows:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.