I have a program called Radius which authenticates user login. It is running on CentOS server
The logs are in /var/log/radius.log
They are as follow
Mon Jul 24 22:17:08 2017 : Auth: Login incorrect: [faaiz.aleem] (from client PTCL-VPN port 28 cli 116.213.34.97) DeviceIP: 192.168.30.101
Mon Jul 24 23:32:41 2017 : Auth: Login OK: [muhammad.razzaq] (from client PTCL-VPN port 29 cli 45.116.233.62) DeviceIP: 192.168.30.101
Tue Jul 25 03:06:08 2017 : Auth: Login OK: [sadiq.akhter] (from client devices port 1 cli 192.168.141.1) DeviceIP: 1.8.3.11
Tue Jul 25 03:07:54 2017 : Auth: Login OK: [sadiq.akhter] (from client devices port 1 cli 10.88.33.2) DeviceIP: 1.6.16.1
Tue Jul 25 09:44:39 2017 : Auth: Login incorrect: [shariq.iqbal] (from client devices port 1 cli 10.10.10.173) DeviceIP: 1.6.10.11
Now I want to sort them out for each user for e.g sadiq.akhter against last login made by them. Please suggest a good bash script or Linux command to do so. I shall be thankful to you.
a quick solution to get only lines with a defined user (and write to a file):
grep "USERNAME" /var/log/radius.log > log_for_user.log
the last line you get from grep should be the last login record.
you can use tac to print your log file in reverse order and use "grep -m1 .." to get only one (the last) match.
returns the last line with USERNAME inside your log:
tac /var/log/radius.log | grep -m1 "USERNAME"
So in a shell script it can look like this, returns you all recent entries to all users:
#!/bin/bash
for i in `cat USERLIST`
do
tac LOGFILE | grep -m1 $i
done
where USERLIST is a file lists all usernames, separated by newline and LOGFILE is your radius logfile.
Related
I've got Debian box set up as a syslog server for a couple cisco ASAs. They are running DHCP and I'm attemping to track the unique instances of a MAC addresses being assigned a lease. I've set the ASAs to only log the message that the cisco DHCPd uses, and it sends that to the Debian server as %HOSTIPADDRESS%.log, which then rotates out daily. So I've got a directory that is filled with this:
-rw-r----- 1 syslog adm 536351 Aug 23 06:24 10.10.10.4.log.10
-rw-r----- 1 syslog adm 459634 Aug 22 06:24 10.10.10.4.log.11
-rw-r----- 1 syslog adm 176957 Aug 21 06:24 10.10.10.4.log.12
-rw-r----- 1 syslog adm 246654 Aug 20 06:24 10.10.10.4.log.13
-rw-r----- 1 syslog adm 459978 Aug 19 06:24 10.10.10.4.log.14
-rw-r----- 1 syslog adm 606987 Aug 18 06:21 10.10.10.4.log.15
-rw-r----- 1 syslog adm 599140 Aug 17 06:24 10.10.10.4.log.16
-rw-r----- 1 syslog adm 605837 Aug 16 06:24 10.10.10.4.log.17
-rw-r----- 1 syslog adm 607630 Aug 15 06:24 10.10.10.4.log.18
-rw-r----- 1 syslog adm 189493 Aug 14 06:24 10.10.10.4.log.19
In each of those logs I've got something that looks like this:
Aug 23 06:20:19 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 011c.9148.dbb4.15 (172.16.1.196)
Aug 23 06:20:41 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0138.0f4a.986a.16 (172.16.1.126)
Aug 23 06:20:51 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0190.b686.63c6.a9 (172.16.1.193)
Aug 23 06:20:55 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:21:11 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 012c.0e3d.fcf6.34 (172.16.1.189)
Aug 23 06:21:35 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:21:51 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:22:29 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 5caf.0664.cd18 (172.16.1.212)
Aug 23 06:24:00 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01fc.dbb3.49af.eb (172.16.1.207)
Aug 23 06:24:21 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01a0.3be3.03b4.74 (172.16.1.195)
Aug 23 06:24:39 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01b4.79a7.1895.33 (172.16.1.157)
The problem, is that dhcp leases renew,as you can see by the multiple instances of the same device at 172.16.1.211, for instance. I thought I could get around this by setting longer leases, as my understanding of how DHCP works is that leases would not start the renewal process until they reached their half-life but that is not working.
I'm also running into issues of address pool depletion because my leases are so long, and the ASA model I'm using has a hard limit to the size of it's scope.
Long story short, I need to parse those logs and retrieve the number of unique MAC addresses that occur in one of those logs. Any ideas on how this can be accomplished with bash? If I knew how to pull that info from one of the files, I could get through setting up process to do it for all of them using cron or something. I am not a programmer, however, I'm a network engineer. Any help would be appreciated.
Thanks,
Long story short, I need to parse those logs and retrieve the number of unique MAC addresses that occur in one of those logs.
Yes, given the regular nature of the data in your log files, this is very easy to do with several different tools.
The most basic would be to use cut
cut -d" " -f13 | sort | uniq -c
A more advanced tool is awk, and it provides many logic enhancments that allow you to add as many conditional statements as you want to filter the data as needed. For your case, though it is still very simple,
awk '{print $12}' | sort | uniq -c
In both cases, cut and awk, I only had to count over the number of fields in your data to the value of interest, and then specify that as the column (field number in awk-speak).
(when testing these answers, I found that using cut required using -d" " and -f13 (for some reason). I thought cut defaulted to -d" " but I had to specify it explicitly for the code to work).
Of course in both examples, I'm using the sort and uniq utilities, (man uniq for the how-to). uniq, has several options, and the -c option indicates count, so the data needs to be sorted for the counts to accumulate correctly (I missed that in my original comment).
Just for example, you could extend your counter to filter by the date value at the front of each record with
awk '/^Aug 23/{print $12}' | sort | uniq -c
But there are many more filtering and logic tools that you can use with awk.
If you're going to be working with logfile data regularly (or other non-XML-like data), I'd recommend working thru the Grymoire's Awk Tutorial .
IHTH
I want to write a shell script sort out the data that last command shows.
I got this in my server.
root pts/0 10.168.136.175 Wed Sep 14 14:24 - 14:54 (00:29)
root :0 Mon Sep 12 10:34 - 11:00 (00:25)
reboot system boot 2.6.18-308.el5PA Sun Sep 11 11:31 (86+03:05)
I did some search, there are some saying :0.0 in the 3rd column means login locally, second column means what kind of terminal been use, like pts and tty.
But what does the :0 in line 2 second column in my log?
I am using redhat 6.5.
It means local computer. Generally each session represented by pairs ip_address:display_number. When you logged in locally the IP address is omitted. That's why there is nothing before :. Display number is actually the session number from the specified IP address. So, 0 means the first session
There is this strange thing I am seeing.
when ever i try to ssh into a machine with root user, I get logged in as "airoot" but the same does not happen for any other user.
[root#ftc-unem32-22s27 onestopsolution]# ssh root#10.33.22.1
Last login: Tue Jun 3 08:19:17 2014 from 10.32.22.27
[airoot#node0fs ~]#
This happens for root user but for another user say User1234 it doesn't
[root#ftc-unem32-22s27 onestopsolution]# ssh User1234#10.33.22.1
User1234#10.33.22.1's password:
Last login: Tue Jun 3 08:19:09 2014 from 10.32.22.27
[User1234#node0fs ~]$
I got a log from remote linux computer. It looks like:
2013-10-23T08:19:05+0300 Last login: Wed Oct 23 08:17:38 EEST 2013 from 10.9.167.55 on pts/0
2013-10-23T08:19:05+0300 Last login: Wed Oct 23 08:19:05 2013 from 10.9.167.55^M
2013-10-23T08:19:07+0300 ^[[?1034h-bash-4.1$ date
2013-10-23T08:19:07+0300 Wed Oct 23 08:19:07 EEST 2013
2013-10-23T08:19:08+0300 -bash-4.1$ ls
2013-10-23T08:19:08+0300 ^[[0m^[[01;34m99^[[0m #avail.info ^[[01;34mgmoTemp^[[0m raml21.dtd SNMP4JTestAgentBC.cfg
2013-10-23T08:19:08+0300 an_mainHost_localhost_20131023081654000136.xml #avail.info~ gsh.txt ^[[01;34mresults^[[0m
2013-10-23T08:19:09+0300 ^[[m-bash-4.1$ exit
2013-10-23T08:19:09+0300 logout
But it should be:
Last login: Wed Oct 23 08:17:38 EEST 2013 from 10.9.167.55 on pts/0
Last login: Wed Oct 23 08:19:05 2013 from 10.9.167.55
-bash-4.1$ date
Wed Oct 23 08:19:07 EEST 2013
-bash-4.1$ ls
99 #avail.info gmoTemp raml21.dtd SNMP4JTestAgentBC.cfg
an_mainHost_localhost_20131023081654000136.xml #avail.info~ gsh.txt results
-bash-4.1$ exit
logout
The messy codes are terminal control escape sequences, you can use command "infocmp xterm" and "man terminfo" to get more details.
My question is how can I remove these terminal control escape sequences in the file?
Thanks a lot!
Simple way to remove most parts of the control character is using the command below in vim:
:%s/<escape-key>\[[0-9;]*m/ /g
Press Ctrl+V followed by esc-key for the <escape-key> character above. Everything else is the same literal key as in your keyboard.
i use a pipe or direct sed like this
sed 's/[^[:print:]]\[[^a-zA-Z]*[a-zA-Z]//g' YourFile
I solved this issue using lots of regular expressions according to http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
I have a linux box:
Linux vuappserver 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686 GNU/Linux
I use SMB + windbind to join to and Active Directory
But right now I try to add a local user:
useradd test
but when I try to change the password I receive this error:
root#server:/home/vu# passwd test
Current Kerberos password:
passwd: Authentication token manipulation error
passwd: password unchanged
I checked the permissions of this files:
-rw-r--r-- 1 0 0 1350 Apr 5 23:17 /etc/passwd
-rw-r----- 1 0 42 941 Apr 5 23:17 /etc/shadow
Any ideas?
Thanks
by default pam_krb5.so set the "minimun_uid" to 1000 in /etc/pam.d/common-*
e.g.:
password [success=3 default=ignore] pam_krb5.so minimum_uid=1000
my user had uid=1001 and according to the default setup, kerberos took control (bad thing). In the other hand, the mapping for my AD users was in a higher range (/etc/samba/smb.conf):
idmap config * : range = 10000-40000
So, I adjusted the "minimun_uid" in /etc/pam.d/common-* to 10000, and now I'm happy :-)
If you're in a Windows domain, your authentication configuration (most probably /etc/pam.d/common-auth and /etc/pam.d/passwd) is pointing that to change a password, it must be synchronized with the domain (via Kerberos/LDAP).
You can instruct the passwd command to change a local account by specifying which accounts repository/authentication realm you would like to change:
passwd -r files account_name
Check the man page for passwd on the -r option.