Quick log analysis

1. ------------------------------------------------------------------
2. Step 1: Download Putty from here:
3. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
4.  
5.  
6. Step 2: Use putty with the information below to connect to your Linux server
7. IP Address: 107.191.39.106
8. Protocol: ssh
9. Port: 22
10. username: eayila
11. password: eayila123
12.  
13.  
14.  
15.  
16.  
17. ##############################################
18. # Log Analysis with Linux command-line tools #
19. ##############################################
20. The following command line executables are found in the Mac as well as most Linux Distributions.
21.  
22. cat – prints the content of a file in the terminal window
23. grep – searches and filters based on patterns
24. awk – can sort each row into fields and display only what is needed
25. sed – performs find and replace functions
26. sort – arranges output in an order
27. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
28.  
29.  
30. ##############
31. # Cisco Logs #
32. ##############
33.  
34. -----------------------------Type this-----------------------------------------
35. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
36. -------------------------------------------------------------------------------
37.  
38. AWK Basics
39. ----------
40. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
41.  
42. -----------------------------Type this-----------------------------------------
43. cat cisco.log | awk '{print $5}' | tail -n 4
44. -------------------------------------------------------------------------------
45.  
46.  
47.  
48. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
49.  
50. -----------------------------Type this-----------------------------------------
51. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
52. -------------------------------------------------------------------------------
53.  
54.  
55.  
56. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
57.  
58. -----------------------------Type this-----------------------------------------
59. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
60. -------------------------------------------------------------------------------
61.  
62.  
63.  
64.  
65. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
66.  
67. -----------------------------Type this-----------------------------------------
68. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
69.  
70. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
71.  
72. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
73.  
74. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
75. --------------------------------------------------------------------------------