From nobody Thu Apr 7 15:26:45 2022 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 979CB1A8EBA0 for ; Thu, 7 Apr 2022 15:26:52 +0000 (UTC) (envelope-from doug@safeport.com) Received: from fledge.watson.org (fledge.watson.org [147.160.157.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "A1-48603", Issuer "A1-48603" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KZ4x751fxz3Hrc for ; Thu, 7 Apr 2022 15:26:51 +0000 (UTC) (envelope-from doug@safeport.com) Received: from fledge.watson.org (doug@localhost [127.0.0.1]) by fledge.watson.org (8.16.1/8.16.1) with ESMTPS id 237FQjcI029430 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 7 Apr 2022 15:26:45 GMT (envelope-from doug@safeport.com) Received: from localhost (doug@localhost) by fledge.watson.org (8.16.1/8.16.1/Submit) with ESMTP id 237FQjNE029427 for ; Thu, 7 Apr 2022 15:26:45 GMT (envelope-from doug@safeport.com) X-Authentication-Warning: fledge.watson.org: doug owned process doing -bs Date: Thu, 7 Apr 2022 15:26:45 +0000 (UTC) From: doug Reply-To: doug@safeport.com To: questions@freebsd.org Subject: Re: extracting an IPv4 address from text? In-Reply-To: <25160.44484.392802.868667@jerusalem.litteratus.org> Message-ID: References: <25160.44484.392802.868667@jerusalem.litteratus.org> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 4KZ4x751fxz3Hrc X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of doug@safeport.com does not designate 147.160.157.40 as permitted sender) smtp.mailfrom=doug@safeport.com X-Spamd-Result: default: False [1.74 / 15.00]; HAS_REPLYTO(0.00)[doug@safeport.com]; R_SPF_FAIL(1.00)[-all]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; HAS_XAW(0.00)[]; NEURAL_SPAM_MEDIUM(0.97)[0.968]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; NEURAL_HAM_SHORT(-0.12)[-0.124]; DMARC_NA(0.00)[safeport.com]; ARC_NA(0.00)[]; MLMMJ_DEST(0.00)[questions]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6405, ipnet:147.160.157.0/24, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; RCVD_TLS_LAST(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On Sat, 2 Apr 2022, Robert Huff wrote: > > Hello: > Let's suppose I want to parse a line from auth.log and extract > the IP address (if any) to stdout. > I'm assuming there is a robust way to do this using standard > command-line tools ... but my brain is flailing on the exact method. > Anyone have a example they'd be willing to share? Or is this a > problem already solved? You got lots of cool answers to the question as asked. auth.log entries are well formatted so the IP address appears in a known location. I use the following to categorize invalid ssh attempts: bzgrep -Ei "sshd.+from" auth.log | awk -F'sshd' '{print $2}' | awk '{print $2,$3}' | icount | sort -nk 1 icount is a trivial perl script to count the number of lines it sees. Then the above gives something like: Unique IP addresses: 11 1 => Accepted publickey 5 => error: maximum 17 => Bad protocol 48 => Did not 104 => Disconnected from 104 => Received disconnect 113 => Failed keyboard-interactive/pam 113 => Postponed keyboard-interactive 198 => Invalid user 312 => error: PAM: 5106 => refused connect 6121 total attempts Just a different way to approach the problem