- 论坛徽章:
- 0
|
本帖最后由 可可火山 于 2011-12-13 15:41 编辑
看了会《sed与awk》,初步确定逻辑,把判断时间部分去掉了,觉得没什么他用处。
root的登录不判断,所以就忽略掉了。
我原来3个step现在只要一步就可以了, script编程真是好玩。 谢谢大家关注
{ if( $0 ~ /Found matching/ ) { fingerprint[$5]=$13 } else if ( $0 ~ /Accepted publickey/ && $12 != "root" ) { print fingerprint[$5],$12,$14;delete fingerprint[$5] } }- [user@fingerprint (0)]$cat messages
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.notice] Failed none for user1 from 10.140.1.107 port 37702 ssh2
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.info] Found matching DSA key: 55:f9:98:93:ff:ff:ff:ff:00:63:bf:7c:19:88:f4:a9
- Dec 12 03:38:19 server last message repeated 1 time
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.info] Accepted publickey for user1 from 10.140.1.107 port 37702 ssh2
- Dec 12 03:39:46 server sshd[23207]: [ID 800047 auth.info] Connection closed by 10.140.1.107
- Dec 12 03:39:46 server sshd[23207]: [ID 800047 auth.info] Closing connection to 10.140.1.107
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.notice] Failed none for root from 10.140.1.107 port 37702 ssh2
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.info] Found matching DSA key: rr:f9:98:93:ff:ff:ff:ff:00:63:bf:7c:19:88:f4:a9
- Dec 12 03:38:19 server last message repeated 1 time
- Dec 12 03:38:19 server sshd[23207]: [ID 800047 auth.info] Accepted publickey for root from rr.140.1.107 port 37702 ssh2
- Dec 12 03:39:46 server sshd[23207]: [ID 800047 auth.info] Connection closed by 10.140.1.107
- Dec 12 03:39:46 server sshd[23207]: [ID 800047 auth.info] Closing connection to 10.140.1.107
- Dec 12 10:29:03 server sshd[23207]: [ID 800047 auth.notice] Failed none for user2 from 10.228.1.95 port 62189 ssh2
- Dec 12 10:29:03 server sshd[23207]: [ID 800047 auth.info] Found matching DSA key: e3:b1:14:e4:b5:ff:ff:ff:ac:68:65:fa:cc:9e:d6:a4
- Dec 12 10:29:03 server last message repeated 1 time
- Dec 12 10:29:03 server sshd[23207]: [ID 800047 auth.info] Accepted publickey for user2 from 10.228.1.95 port 62189 ssh2
- Dec 12 10:29:03 server sshd[23207]: [ID 800047 auth.info] Connection closed by 10.228.1.95
- Dec 12 10:29:03 server sshd[23207]: [ID 800047 auth.info] Closing connection to 10.228.1.95
- [user@fingerprint (0)]$cat extractlogon.awk
- { if( $0 ~ /Found matching/ ) { fingerprint[$5]=$13 } else if ( $0 ~ /Accepted publickey/ && $12 != "root" ) { print fingerprint[$5],$12,$14;delete fingerprint[$5] } }
- [user@fingerprint (0)]$awk -f extractlogon.awk messages
- 55:f9:98:93:ff:ff:ff:ff:00:63:bf:7c:19:88:f4:a9 user1 10.140.1.107
- e3:b1:14:e4:b5:ff:ff:ff:ac:68:65:fa:cc:9e:d6:a4 user2 10.228.1.95
复制代码 |
|