Grep Syslog firewall logs

Question

I have a file which contains firewall log like this:

Feb             3       0:18:51 17.1.1.1                      id=firewall     sn=qasasdasd "time=""2018-02-03"     22:47:55        "UTC""" fw=111.111.111.111       pri=6    c=2644        m=88    "msg=""Connection"      "Opened"""      app=2   n=2437       src=12.1.1.11:49894:X0       dst=4.2.2.2:53:X1       dstMac=42:16:1b:af:8e:e1        proto=udp/dns   sent=83 "rule=""5"      "(LAN->WAN)"""

I need to get an output which should be like this:

src=ipaddress:port , dst=ipaddress:port , proto=udp/dns

Specifically, for the above input,

src=12.1.1.11:49894,dst=4.2.2.2:53,proto=udp/dns

I tried

cat logfile.txt | awk '{ print $18" "$19" "$21 }'

but result seems to different from what I expect.

Worth showing what you'd expect the output to be, given the example input you've cited. Oh, and worth adding what you've tried already. — steve, Jun 07 '19 at 21:33
src=12.1.1.11:49894,dst=4.2.2.2:53,proto=udp/dns is the output i expect — user356831, Jun 07 '19 at 21:35
cat logfile.txt | awk '{ print $18" "$19" "$21 }' is what i was trying but result seems to different from what i expect. — user356831, Jun 07 '19 at 21:37

Nasir Riley · Answer 1 · 2019-06-07T21:51:22.597

1

Based on what you have:

awk '{print $18,$19,$21}' OFS=" , " logfile.txt | sed 's|:X[0-1]||g'

You don't need cat as awk already writes to stdout. The command above prints those fields separated by a space which is what the comma does and then it sets the field separator as a comma surrounded by spaces and uses sed to remove :X0 and :X1.

The output:

src=12.1.1.11:49894 , dst=4.2.2.2:53 , proto=udp/dns

edited Jun 07 '19 at 21:51

answered Jun 07 '19 at 21:43

Nasir Riley

11,422

Hi Nasir, but i don't need :x0 or :X1 in the result. – user356831 Jun 07 '19 at 21:46
1

@user356831 sed will trim off the :X0 and X:1 – Nasir Riley Jun 07 '19 at 21:52
Thanks You Nasir for the help. Is it also possible to extract the result by greping the word. for example i want the value of "proto" to be printed by just greping the word "proto" – user356831 Jun 07 '19 at 22:17

score 1 · Accepted Answer · answered Jun 07 '19 at 22:37

Using grep:

$ grep -o '\(src\|dst\)=[^:]\+:[^:]\+\|proto=[^ ]\+' logfile.txt
src=12.1.1.11:49894
dst=4.2.2.2:53
proto=udp/dns

Description:

'$src\|dst$= match src or dst followed by =
[^:]\+:[^:]\+ one or more non-colon characters, followed by :, followed by one or more non-colon characters
\| or
proto=[^ ]\+' match proto= followed by one or more non-space characters

We can glue the newlines together with paste:

$ grep -o '\(src\|dst\)=[^:]\+:[^:]\+\|proto=[^ ]\+' logfile.txt | paste -s -d,
src=12.1.1.11:49894,dst=4.2.2.2:53,proto=udp/dns

Grep Syslog firewall logs

2 Answers2

Linked