Advertisement
joemccray

Quick log analysis

Dec 5th, 2018
1,308
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.57 KB | None | 0 0
  1. ------------------------------------------------------------------
  2. Step 1: Download Putty from here:
  3. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  4.  
  5.  
  6. Step 2: Use putty with the information below to connect to your Linux server
  7. IP Address: 107.191.39.106
  8. Protocol: ssh
  9. Port: 22
  10. username: eayila
  11. password: eayila123
  12.  
  13.  
  14.  
  15.  
  16.  
  17. ##############################################
  18. # Log Analysis with Linux command-line tools #
  19. ##############################################
  20. The following command line executables are found in the Mac as well as most Linux Distributions.
  21.  
  22. cat – prints the content of a file in the terminal window
  23. grep – searches and filters based on patterns
  24. awk – can sort each row into fields and display only what is needed
  25. sed – performs find and replace functions
  26. sort – arranges output in an order
  27. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  28.  
  29.  
  30. ##############
  31. # Cisco Logs #
  32. ##############
  33.  
  34. -----------------------------Type this-----------------------------------------
  35. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
  36. -------------------------------------------------------------------------------
  37.  
  38. AWK Basics
  39. ----------
  40. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  41.  
  42. -----------------------------Type this-----------------------------------------
  43. cat cisco.log | awk '{print $5}' | tail -n 4
  44. -------------------------------------------------------------------------------
  45.  
  46.  
  47.  
  48. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  49.  
  50. -----------------------------Type this-----------------------------------------
  51. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  52. -------------------------------------------------------------------------------
  53.  
  54.  
  55.  
  56. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  57.  
  58. -----------------------------Type this-----------------------------------------
  59. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  60. -------------------------------------------------------------------------------
  61.  
  62.  
  63.  
  64.  
  65. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  66.  
  67. -----------------------------Type this-----------------------------------------
  68. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  69.  
  70. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  71.  
  72. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  73.  
  74. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  75. --------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement