Grep for Email Reports

henryammons

Hello,

I am using the Email Reports package and one thing I like to do is issue a command that pulls all failed logins for three days to present. I'm not a grep expert and my Google searched didn't lead me down the right path. My current command is: grep -i "/index.php: webConfigurator authentication error for user" /var/log/system.log to find failed logins but this returns all failed logins contained in system.log. I would like only the last three days worth. Thank you for your help.

-Henry

stephenw10

Not easily with a single command like that. You could set the log rotation size so that they rotate approximatelu every 3 days. Of course that would give you up to 3 days of entries. And would vary with logging levels.
Really I would recommend exporting the logs to a dedicated syslog server that much more likely to have this functionality.

Steve

NogBadTheBad

This post is deleted!

guardian

@henryammons How important is "exactly 3" (or whatever) days?

Depending on your application, might I suggest just tacking

 | tail -n 30

on the end of your grep to limit the output to 30 (or whatever number makes sense). That keeps your report to a reasonable length. It should be enough to tell you if you need to be looking into something (assuming you are reading the emails).

Today the log entries start with 'Nov 3', yesterday 'Nov 2' and so on, and it gets really interesting at month roll over 'Oct 31'... That means grepping for multiple stings. It is going to take some sort of logic to create them. Alternatively you could convert the date/time into a unix time stamp and filter all entries past a certain value.

If you are OK with just the current day's log entries then you could tack:

 | grep -e "^`date +'%b %e'`"

on the end of your earlier grep statement. You would need to run a cron job at 23:59, and as long as the script ran before the clock rolled over, you would get everything for that day except an occurrence between 23:59 and 00:00. If the script was delayed, then you would lose the whole day.

For anything more complicated you will need to write a script - either a shell script, or use one of the built in languages like perl, python or awk.

For home use I would likely code something up, or use one of the earlier methods. In a muti-user/business environment the suggestion that @stephenw10 made to use some sort of syslog package makes the most sense.

Good luck!

henryammons

Good day,
Thank you all for your help. Based on the suggestions, I have the kind of reporting I was hoping for. I switch to single-day which made it easier. Each day I get a report of bandwidth used the previous day and for the month, all failed logins for the previous day, and all authenticated logins. Again, thank you for taking the time to reply.
Appreciatively,
Henry

guardian

@henryammons said in Grep for Email Reports:

sed the previous day and for the month, all failed logins for the previous day, and all authenticated logins. Again, thank you for taking the time to reply.

Are you willing to share the code? If it's not too long just paste into a code box (with any sensitive info like passwords or id's changed).

Glad you got your answer.

henryammons

Of course! For the first portion of the report [commands], I have Traffic Totals installed, so I use:

1. /usr/local/bin/vnstat -I igb0
   I then list uptime:
2. uptime
   then today's successful logins:
3. grep -i "/index.php: Successful login for user " /var/log/system.log | grep -e "^date +'%b %e'"
   note the space after user
   Then down in Included Logs, I search for "authentication error" and "Authentication error" in the Authentication (General) entries. These just accumulate until the logs roll.