I want to write a shell script sort out the data that last command shows.
I got this in my server.
root pts/0 10.168.136.175 Wed Sep 14 14:24 - 14:54 (00:29)
root :0 Mon Sep 12 10:34 - 11:00 (00:25)
reboot system boot 2.6.18-308.el5PA Sun Sep 11 11:31 (86+03:05)
I did some search, there are some saying :0.0 in the 3rd column means login locally, second column means what kind of terminal been use, like pts and tty.
But what does the :0 in line 2 second column in my log?
I am using redhat 6.5.
It means local computer. Generally each session represented by pairs ip_address:display_number. When you logged in locally the IP address is omitted. That's why there is nothing before :. Display number is actually the session number from the specified IP address. So, 0 means the first session
Related
I've got Debian box set up as a syslog server for a couple cisco ASAs. They are running DHCP and I'm attemping to track the unique instances of a MAC addresses being assigned a lease. I've set the ASAs to only log the message that the cisco DHCPd uses, and it sends that to the Debian server as %HOSTIPADDRESS%.log, which then rotates out daily. So I've got a directory that is filled with this:
-rw-r----- 1 syslog adm 536351 Aug 23 06:24 10.10.10.4.log.10
-rw-r----- 1 syslog adm 459634 Aug 22 06:24 10.10.10.4.log.11
-rw-r----- 1 syslog adm 176957 Aug 21 06:24 10.10.10.4.log.12
-rw-r----- 1 syslog adm 246654 Aug 20 06:24 10.10.10.4.log.13
-rw-r----- 1 syslog adm 459978 Aug 19 06:24 10.10.10.4.log.14
-rw-r----- 1 syslog adm 606987 Aug 18 06:21 10.10.10.4.log.15
-rw-r----- 1 syslog adm 599140 Aug 17 06:24 10.10.10.4.log.16
-rw-r----- 1 syslog adm 605837 Aug 16 06:24 10.10.10.4.log.17
-rw-r----- 1 syslog adm 607630 Aug 15 06:24 10.10.10.4.log.18
-rw-r----- 1 syslog adm 189493 Aug 14 06:24 10.10.10.4.log.19
In each of those logs I've got something that looks like this:
Aug 23 06:20:19 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 011c.9148.dbb4.15 (172.16.1.196)
Aug 23 06:20:41 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0138.0f4a.986a.16 (172.16.1.126)
Aug 23 06:20:51 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0190.b686.63c6.a9 (172.16.1.193)
Aug 23 06:20:55 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:21:11 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 012c.0e3d.fcf6.34 (172.16.1.189)
Aug 23 06:21:35 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:21:51 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 0154.4e90.8a7a.00 (172.16.1.211)
Aug 23 06:22:29 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 5caf.0664.cd18 (172.16.1.212)
Aug 23 06:24:00 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01fc.dbb3.49af.eb (172.16.1.207)
Aug 23 06:24:21 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01a0.3be3.03b4.74 (172.16.1.195)
Aug 23 06:24:39 10.10.10.4 %ASA-6-604103: DHCP daemon interface inside: address granted 01b4.79a7.1895.33 (172.16.1.157)
The problem, is that dhcp leases renew,as you can see by the multiple instances of the same device at 172.16.1.211, for instance. I thought I could get around this by setting longer leases, as my understanding of how DHCP works is that leases would not start the renewal process until they reached their half-life but that is not working.
I'm also running into issues of address pool depletion because my leases are so long, and the ASA model I'm using has a hard limit to the size of it's scope.
Long story short, I need to parse those logs and retrieve the number of unique MAC addresses that occur in one of those logs. Any ideas on how this can be accomplished with bash? If I knew how to pull that info from one of the files, I could get through setting up process to do it for all of them using cron or something. I am not a programmer, however, I'm a network engineer. Any help would be appreciated.
Thanks,
Long story short, I need to parse those logs and retrieve the number of unique MAC addresses that occur in one of those logs.
Yes, given the regular nature of the data in your log files, this is very easy to do with several different tools.
The most basic would be to use cut
cut -d" " -f13 | sort | uniq -c
A more advanced tool is awk, and it provides many logic enhancments that allow you to add as many conditional statements as you want to filter the data as needed. For your case, though it is still very simple,
awk '{print $12}' | sort | uniq -c
In both cases, cut and awk, I only had to count over the number of fields in your data to the value of interest, and then specify that as the column (field number in awk-speak).
(when testing these answers, I found that using cut required using -d" " and -f13 (for some reason). I thought cut defaulted to -d" " but I had to specify it explicitly for the code to work).
Of course in both examples, I'm using the sort and uniq utilities, (man uniq for the how-to). uniq, has several options, and the -c option indicates count, so the data needs to be sorted for the counts to accumulate correctly (I missed that in my original comment).
Just for example, you could extend your counter to filter by the date value at the front of each record with
awk '/^Aug 23/{print $12}' | sort | uniq -c
But there are many more filtering and logic tools that you can use with awk.
If you're going to be working with logfile data regularly (or other non-XML-like data), I'd recommend working thru the Grymoire's Awk Tutorial .
IHTH
Perhaps I'm just missing something simple so here goes.
I have a webmin server on Ubuntu and also OpenGTS on a vps, everything works fine and I set it all up from scratch.
I have a cron job like this:
bash /usr/local/OpenGTS_2.5.0/bin/trim.sh
trim.sh is:
#!/bin/sh
MAILTO=me#mymail.net
cd /usr/local/OpenGTS_2.5.0/bin/
./admin.sh Device -account=vehicles -device=laguna -deleteOldEvents=-5d -confirmDelete
This should delete old entries from the database older than 5 days
When run from command line it outputs correctly
Entry Point: org.opengts.db.tables.Device
Deleting events before "Wed Jun 11 23:59:59 BST 2014" ...
Device: laguna - Deleted 0 old events (Saved last event, Nothing to delete)
However when it runs from cron
Entry Point: org.opengts.db.tables.Device
Deleting events before "Mon Jun 09 23:59:59 BST 2014" ...
Device: laguna - Deleted 0 old events (Empty range)
If I set it to 1 day, or 2 days it still insists on Mon Jun 09 23:59:59 BST 2014
I'm totally stumped, any ideas ?
thanks
I have recently started using Isabelle/jEdit. I have created a heap image for the Simpl AFP entry. I made use of command line isabelle build tool to create the new image. I can see and use the image with ProofGeneral and Isabelle/Eclipse. Unfortunately, I cannot see it via jEdit.
If use:
isabelle jedit -d isabelle_afp/Simpl -l Simpl
I can see Simpl but I believe it just rebuilds a Simpl image on the fly.
Any ideas?
Here's the heap located in the expected place:
~ > ls -l .isabelle/Isabelle2013-2/heaps/polyml-5.5.1_x86_64-linux/
total 425424
-r--r--r-- 1 george users 435622904 Feb 24 11:32 Simpl
drwxr-xr-x 2 george users 4096 Feb 24 11:32 log
Here's what my system looks like:
~ > uname -a
Linux athina 3.11.1 #4 SMP Wed Jan 22 16:45:25 EST 2014 x86_64 Intel(R) Core(TM) i5 CPU M 560 # 2.67GHz GenuineIntel GNU/Linux
See http://afp.sourceforge.net/using.shtml for how to register the AFP as a component in Isabelle.
This tells Isabelle where the AFP ROOT session files are. You can think of it as adding the AFP to the search path.
In the user‑home of Isabelle (not the home of the Isabelle system itself), which is ~/.isabelle on UNIX‑likes (don't know for Windows), you may create a ROOTS file if it does not already exists. Then in ROOTS adds an $AFP line (literally, don't expand the variable) if there is not already such a line. If the Simpl theory still does not show up in jEdit's Isabelle theories list, this may be that the AFP was not setted up correctly. If so, check, the file ~/.isabelle/etc/components and see if the file contains a line for the location you choose for your local copy of the AFP.
I'm getting two different timezones on Linux (CENTOS 5.6) depending on whether date is called locally or via ssh:
foo$ ssh me#bar date
Tue Nov 5 18:08:32 EST 2013
foo$ ssh me#bar
bar$ date
Tue Nov 5 17:09:16 CST 2013
/etc/localtime is set to central time:
$ ls -l /etc/localtime
lrwxrwxrwx 1 root root 27 Nov 5 13:10 /etc/localtime -> /usr/share/zoneinfo/CST6CDT
TZ is set to America/Chicago in .bash_profile. If that line is commented out, time zone comes back as eastern rather than central.
I'm assuming this all means the computer believes in its heart that it's on eastern rather than central time and the TZ setting in the shell just overrides this, but I can't figure out WHY the computer thinks it's in eastern time.
edit
It turned out that a runaway process somewhere had actually overwritten the central time timezone file with an eastern time timezone file. Not easy to find, as the file contents are binary!
Did you check -> /etc/sysconfig/clock ?
I'm creating a PAM module for a project. The PAM module will be using a library that will be re-used by some command line utilities (rather than re-writing everything each time). In this library, I want to have it interpret policy that discriminate against and/or logs according to subnet memberships of the remote host. Near as I can tell this value is probably coming from the authenticating application, but I don't know. Since the shared object won't have access to the pamh structure from libpam I can't just do a pam_get_item (like I would be able to from the PAM module itself) so I've had to resort to other means.
The best solution I've come up with is to have the shared object look for a connected TTY, if it's there go to utmp and find the login process associated with that TTY, extract the IP address from there. If there isn't a TTY, assume it's an initial login of a network user. The library then iterates over the sockets (which I've defined as basically any symlink with the word "socket" in the target's filename when you do a ls -l /proc/<pid>/fd) and uses the socket inode number to cross reference with /proc/net/tcp and extracts the remote IP address associated with that inode number. If it doesn't find an inode there then it assumes it's Unix domain or tcp6 (IPv6 support in this is forthcoming and not terribly important for the near future). If it still isn't able to find it, assume that some daemon has called an application linking against it and interpret it as such (might do something eventually, if it's worthwhile, but for now it's just a big NOOP if the first two don't return anything.
It seems to work but I have some high level questions about how PAM is supposed to work:
Is there some official standard that governs PAM operation? For example, is it covered by a POSIX standard somewhere? I know there are multiple PAM implementations (four or five that I've found thusfar) but I don't know if existing commonalities are de jure or de facto or just how I happen to have my system configured.
After I did a ls -l /proc/<pid>/fd > /lsOutput from the module itself (via system()):
[root#hypervisor pam]# cat /lsOutput total 0
lrwx------. 1 root root 64 Jun 15 15:09 0 -> /dev/null
lrwx------. 1 root root 64 Jun 15 15:09 1 -> /dev/null
lrwx------. 1 root root 64 Jun 15 15:09 2 -> /dev/null
lr-x------. 1 root root 64 Jun 15 15:09 3 -> socket:[426180]
[root#hypervisor pam]#
And issuing a manual ls after the user logins in:
[root#hypervisor pam]# ls -l /proc/18261/fd
total 0
lrwx------. 1 root root 64 Jun 15 15:15 0 -> /dev/null
lrwx------. 1 root root 64 Jun 15 15:15 1 -> /dev/null
lrwx------. 1 root root 64 Jun 15 15:15 11 -> /dev/ptmx
lrwx------. 1 root root 64 Jun 15 15:15 12 -> /dev/ptmx
lrwx------. 1 root root 64 Jun 15 15:15 13 -> socket:[426780]
lrwx------. 1 root root 64 Jun 15 15:15 14 -> socket:[426829]
lrwx------. 1 root root 64 Jun 15 15:15 2 -> /dev/null
lrwx------. 1 root root 64 Jun 15 15:15 3 -> socket:[426180]
lrwx------. 1 root root 64 Jun 15 15:15 4 -> socket:[426322]
lr-x------. 1 root root 64 Jun 15 15:15 5 -> pipe:[426336]
l-wx------. 1 root root 64 Jun 15 15:15 6 -> pipe:[426336]
lrwx------. 1 root root 64 Jun 15 15:15 7 -> socket:[426348]
lrwx------. 1 root root 64 Jun 15 15:15 8 -> socket:[426349]
lrwx------. 1 root root 64 Jun 15 15:15 9 -> /dev/ptmx
[root#hypervisor pam]#
So basically, it seems like both the TTY and any additional sockets get opened only AFTER the session modules finish (my temporary test module's session handling is the last in the stack for the sshd service). I've been unable to get it to be otherwise (or even think of a time when the connecting client won't be a TCP socket at descriptor 3).
Is this just due to my lack of imagination or is it necessarily so? I'm leaning towards the latter as it would seem that communicating with the client would be a pre-requisite to doing pretty much anything else that's useful. I don't know that for sure, so I feel I should ask somebody. Will descriptor 3 always be the authenticating client (my .so only makes the assumption that it's the lowest numbered TCP socket, and only if there's no TTY, but it seems like 3 should always be the descriptor for the connecting client). Would pulling the first TCP descriptor be a "deterministic" way of establishing the remote client's identity? Or is there no prescribed way this is supposed to play out and that's just how either my system is configured or how SSH has chosen to interface with PAM?
Is it sshd that's setting the rhost value or is that coming from some place else? I've tried grep-ing over the source code for both SSH and libpam, but no dice. I can see where libpam handles the setting of the host value when something call pam_set_item, but not were pam_set_item actually gets called to set it to be this or that particular host.
Any amount of help would be appreciated, I've googled but I'm starting to get splinters on my fingertips from scraping the bottom of the barrel.
Main reason I'm interested in knowing this is so that I'll end up not only with the "right" answer but mostly so that I won't have any surprises later on down the road. We have some Solaris platforms we may do this on, but my main motivation is to have assumptions that are grounded in things that are actually going to be constant.
I also realize that I could have the client programs/modules feed the host information to the library, but that would likely involve code re-write two or three times (as the CLI tools prepare session information from utmp and the PAM module from pam_get_item) and potentially make the project look more complex than it really needs to be.
Answering some of your questions:
"Is there some official standard that governs PAM operation?"
Apparently, yes. Wikipedia's entry on Pluggable_Authentication_Modulesays "PAM was standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard." I have never found this particularly relevant to my dealings with it.
"Is this just due to my lack of imagination or is it necessarily so?"
<magicEightBall>"Concentrate and ask again"</magicEightBall> (It's ambiguous which "this" is being referred to - perhaps you can clarify?
"Will descriptor 3 always be the authenticating client?"
This is a behaviour of the application, rather than PAM.
Would pulling the first TCP descriptor be a "deterministic" way of establishing the remote client's identity?
Also a behaviour of the application.
"Is it sshd that's setting the rhost value or is that coming from some place else?"
It is sshd that sets the rhost value. In openssh's file auth-pam.c, function sshpam_init(), you'll find:
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
Some general notes:
rather than keying off the TTY - which, as you've discovered get set later - you can walk the process lineage via getppid() and /proc.
don't trust system() in PAM modules - it uses a user's environment, and may not be the one you expect. Use fork()/execlp() instead.