Question posted in 
I am trying to grep /var/log/secure to find the unique IP addresses that tried to use my instance. Every time, I try to grep I get the lines where the IP is located. How can I grep in a way where I just get the IP I want and store it in a text file. I’ll post examples to clarify what I am looking for.
This is a sample /var/log/secure file:
Oct 9 22:45:48 ip-172-26-14-23 sshd[18080]: Disconnected from 34.101.251.82 port 59344 [preauth]
Oct 9 22:46:41 ip-172-26-14-23 sshd[18082]: Did not receive identification string from 209.17.97.18 port 64550
Oct 9 22:47:23 ip-172-26-14-23 sshd[18083]: Connection closed by 74.120.14.52 port 44578 [preauth]
Oct 9 22:54:03 ip-172-26-14-23 sshd[18088]: Invalid user cisco from 106.13.233.5 port 44180
Oct 9 22:54:03 ip-172-26-14-23 sshd[18088]: input_userauth_request: invalid user cisco [preauth]
Oct 9 22:54:03 ip-172-26-14-23 sshd[18088]: Received disconnect from 106.13.233.5 port 44180:11: Bye Bye [preauth]
Oct 9 22:54:03 ip-172-26-14-23 sshd[18088]: Disconnected from 106.13.233.5 port 44180 [preauth]
Oct 9 22:56:53 ip-172-26-14-23 sshd[18090]: reverse mapping checking getaddrinfo for reaia.tumblles.com [141.98.9.32] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 9 22:56:54 ip-172-26-14-23 sshd[18090]: Connection closed by 141.98.9.32 port 34537 [preauth]
Oct 9 22:56:57 ip-172-26-14-23 sshd[18092]: reverse mapping checking getaddrinfo for kei.tumblles.com [141.98.9.33] failed - POSSIBLE BREAK-IN ATTEMPT!
So what I want is to grep var/log/secure and just print the unique ips that tried to use my instance in a textfile like this:
**Desired output:**
34.101.251.82
74.120.14.52
106.13.233.5
141.98.9.32
So on....
I might have missed some but you get the idea.
when I try to grep the file with the command: sudo grep 'from' /var/log/secure | awk {print $2} > ips.out. I get the following output to the file.
9
9
9
9
9
9
9
so on....
9 is the date
The ideology behind the input is that the word "from" is next to the ip address. So grep should go there and print the word next it with awk{print $2}.
However, I want to extract all IPS from anywhere in the file, not just the IPS after "from". What I did above is the only way I could do it at the moment. I was thinking to run multiple commands and make a bash script that gets Ips from all locations.
PS: I only want IPs after from!
3
Answers
You can do it using positive look behind with
grep, you have to use-Pfor Perl-compatible regular expressions, also-oprints only the matched string.The initial part inside parentheses, the "
from", will be first matched, but ignored for the-ooption, only the part after that will be considered.This part is a simple expression to match an IP, meaning:
that’s 4 numbers with maximum 3 digits, separated by dots.
See more about matching an IP into this question
Based on shown samples only, could you please try following, written and tested in following link
https://ideone.com/bQGspU
with GNU
awkmulti-char RSawk -v RS="[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}" 'RT{print RT}' fileand the
uniqcommand removes the adjacent duplicate lines