Gawk SSH Log Report

By | October 2, 2012

Gawk Man Page

Gawk is an advanced text manipulation programming language that can be used for extracting/modifying and formatting text based data.

There are so many examples and applications for gawk, but we will be looking at formatting a report from the ssh logs. There are many things you could do with the report like send it via email, store it or use it for auditing, etc.

The first thing we want to do is add a header to our report. Using the gawk “pre-processor” we can execute commands before we preform our text manipulation. This can be achieved by using the “BEGIN” keyword in our program. We want to capture the date, IP and user from the log file, let’s see what this looks like:

Program:

[root@live scripts]$ gawk 'BEGIN {
print " Date          IP          User ";
print "------       ------        ----" }'

Output:

  Date          IP          User
------       ------        ----

Let’s talk about this, since we are using the “BEGIN” keyword the pre-processor executes the code between the brackets. Each command between the brackets is separated by a semicolon. The instruction set has to be located within single quotes as shown above in order for the command to work properly.

Now let’s manipulate our text. When using multiple line files or standard input that has multiple lines the gawk program manipulates the data line by line unless otherwise specified. It is also important to note that the default deliminator is a single white space which of course can be changed. Adding the code to manipulate the data, our program should now look like this:

Program:

[root@live scripts]$ gawk 'BEGIN {
print " Date          IP          User ";
print "------       ------        ----" }
/Accepted/{printf "%-s/%-6s %-15s %s\n", $1, $2, $11, $9}' /var/log/secure

Output:

  Date          IP          User
------       ------        ----
Feb/13     192.168.1.7     root
Feb/13     192.168.1.2     john
Feb/14     192.168.1.67    kevin
Feb/14     192.168.1.5     mcLovin
Feb/14     192.168.1.5     jamesBond
Feb/14     192.168.1.5     robbie
Feb/15     192.168.1.54    root
Feb/16     192.168.1.2     root
Feb/17     192.168.1.5     mcLovin

So the first thing we do is search for the phrase “Accepted” in each line of the ssh log file located at the file path specified above (Of course the phrase is arbitrary, but in my log file it tells me someone successfully logged in). If you have programmed in any modern language chances are you encountered the printf function which allows you to format output. It is available in gawk and we used it here to align and separate text.

To access each delimited token we used the $ symbol followed by the token number. For instance $1 was the month, $2 was the day, $11 was the IP and $9 was the user, see below:

Feb 14 05:33:53 localhost sshd[23457]: Accepted password for kevin from
192.168.1.67 port 20833 ssh2

Just like the pre-processor there is a post processor. Using the “END” keyword you can execute commands after your text manipulation is done.

For easier scripting we can put our program in a file and use gawk with the syntax below:

gawk -f program /var/log/secure

As always check out the man page for more extensive options and thanks for the visit.

Leave a Reply

Your email address will not be published. Required fields are marked *