Script help 
Author Message
 Script help

Hi Guys!
I hope someone can help me.
Can someone show me a example of how to take the data in my syslog and
parse it out with a script to a comma dilimited file?

For example, here is the syslog info:
Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
SPT=22381 DPT=27015 LEN=24

I would like it to look something like this:

Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

Any ideas?

Thanks!
Dan



Mon, 14 Feb 2005 07:35:25 GMT  
 Script help
looks easy - so what have you tried? (code wise)

jen -show us your code- cross

Quote:

> Hi Guys!
> I hope someone can help me.
> Can someone show me a example of how to take the data in my syslog and
> parse it out with a script to a comma dilimited file?

> For example, here is the syslog info:
> Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
> MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
> DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
> SPT=22381 DPT=27015 LEN=24

> I would like it to look something like this:

> Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

> Any ideas?

> Thanks!
> Dan



Mon, 14 Feb 2005 10:22:52 GMT  
 Script help

Quote:
> Hi Guys!
> I hope someone can help me.
> Can someone show me a example of how to take the data in my syslog and
> parse it out with a script to a comma dilimited file?

> For example, here is the syslog info:
> Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
> MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
> DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
> SPT=22381 DPT=27015 LEN=24

> I would like it to look something like this:

> Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

> Any ideas?

> Thanks!
> Dan

Something like this can do it.
    - Dan

syslog-csv.awk
----------
    BEGIN { OFS = "," }
    {
        month = $1; day = $2; time = $3
        delete value
        for (i = 4; i <= NF && $(i) ~ /^IN=/; i++) {}
        for (j = i; j <= NF; j++)
            if (split($j,nameValuePair,"=") == 2)
                value[nameValuePair[1]] = nameValuePair[2]
        print month " " day " " time, value["SRC"], value["DST"],
value["SPT"]
    }



Mon, 14 Feb 2005 12:25:38 GMT  
 Script help

Quote:

>Hi Guys!
>I hope someone can help me.
>Can someone show me a example of how to take the data in my syslog and
>parse it out with a script to a comma dilimited file?

>For example, here is the syslog info:
>Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
>MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
>DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
>SPT=22381 DPT=27015 LEN=24

>I would like it to look something like this:

>Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

something like this (untested) should work:

awk 'NR==1{printf("%s %s %s,",$1,$2,$3)
     $NR~"SRC" {sub(/SRC=/,"",$NF);printf(%s,",$NF)}
     $1~"DST"  {sub(/DST=/,"",$1 );print $1}' infile

Chuck Demas

--
  Eat Healthy    |   _ _   | Nothing would be done at all,

  Die Anyway     |    v    | That no one could find fault with it.



Mon, 14 Feb 2005 23:30:27 GMT  
 Script help

Quote:

>>For example, here is the syslog info:
>>Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
>>MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
>>DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
>>SPT=22381 DPT=27015 LEN=24

>>I would like it to look something like this:

>>Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

>something like this (untested) should work:

>awk 'NR==1{printf("%s %s %s,",$1,$2,$3)
>     $NR~"SRC" {sub(/SRC=/,"",$NF);printf(%s,",$NF)}
>     $1~"DST"  {sub(/DST=/,"",$1 );print $1}' infile

I assume $NR was a type for $NF...
(although it looks like you are assuming the 2nd field of the 2nd record...)

Anyway, I suppose I'd do it like this (assuming there are or could be
multiple records in the syslog file; also, do we know if the OP really
meant that to be all one long line or if it really is a 4 line block?)

BEGIN {OFS=","}
(NR % 4) == 1 { dte = $1 " " $2 " " $3;next }
sub(/^.*SRC=/,"") { src = $0;next }
sub(/^DST=/,"") { print dte,src,$1 }



Tue, 15 Feb 2005 00:25:48 GMT  
 Script help

Quote:


> >>For example, here is the syslog info:
> >>Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
> >>MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
> >>DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
> >>SPT=22381 DPT=27015 LEN=24

> >>I would like it to look something like this:

> >>Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

> >something like this (untested) should work:

> >awk 'NR==1{printf("%s %s %s,",$1,$2,$3)
> >     $NR~"SRC" {sub(/SRC=/,"",$NF);printf(%s,",$NF)}
> >     $1~"DST"  {sub(/DST=/,"",$1 );print $1}' infile

> I assume $NR was a type for $NF...
> (although it looks like you are assuming the 2nd field of the 2nd
record...)

> Anyway, I suppose I'd do it like this (assuming there are or could be
> multiple records in the syslog file; also, do we know if the OP really
> meant that to be all one long line or if it really is a 4 line block?)

> BEGIN {OFS=","}
> (NR % 4) == 1 { dte = $1 " " $2 " " $3;next }
> sub(/^.*SRC=/,"") { src = $0;next }
> sub(/^DST=/,"") { print dte,src,$1 }

I had assumed that the OP's data was naturally one line, and broken to four
lines by their news reader.

Even though my Linux box's /var/log/messages file IS filled with one-line
entries, I may be being silly by assuming that the OP's log entries are NOT
naturally broken at nonsensical places.

    - Dan H. (not Dan the OP)



Tue, 15 Feb 2005 10:01:49 GMT  
 Script help

Quote:




> > >>For example, here is the syslog info:
> > >>Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
> > >>MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
> > >>DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
> > >>SPT=22381 DPT=27015 LEN=24

> > >>I would like it to look something like this:

> > >>Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

> > >something like this (untested) should work:

> > >awk 'NR==1{printf("%s %s %s,",$1,$2,$3)
> > >     $NR~"SRC" {sub(/SRC=/,"",$NF);printf(%s,",$NF)}
> > >     $1~"DST"  {sub(/DST=/,"",$1 );print $1}' infile

> > I assume $NR was a type for $NF...
> > (although it looks like you are assuming the 2nd field of the 2nd
> record...)

> > Anyway, I suppose I'd do it like this (assuming there are or could be
> > multiple records in the syslog file; also, do we know if the OP really
> > meant that to be all one long line or if it really is a 4 line block?)

> > BEGIN {OFS=","}
> > (NR % 4) == 1 { dte = $1 " " $2 " " $3;next }
> > sub(/^.*SRC=/,"") { src = $0;next }
> > sub(/^DST=/,"") { print dte,src,$1 }

> I had assumed that the OP's data was naturally one line, and broken to
four
> lines by their news reader.

> Even though my Linux box's /var/log/messages file IS filled with one-line
> entries, I may be being silly by assuming that the OP's log entries are
NOT
> naturally broken at nonsensical places.

>     - Dan H. (not Dan the OP)

Oh yeah, Charles and Kenny...
    >>>>Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381
...don't forget the source port on the end.

    - D



Tue, 15 Feb 2005 10:14:21 GMT  
 Script help

Quote:


> > Hi Guys!
> > I hope someone can help me.
> > Can someone show me a example of how to take the data in my syslog and
> > parse it out with a script to a comma dilimited file?

> > For example, here is the syslog info:
> > Aug 28 17:25:17 ns1 kernel: gShield (default drop) IN=eth1 OUT=
> > MAC=00:60:97:da:94:45:00:03:4b:f5:54:c5:08:00 SRC=201.203.72.116
> > DST=122.19.12.99 LEN=44 TOS=0x08 PREC=0x20 TTL=108 ID=19603 PROTO=UDP
> > SPT=22381 DPT=27015 LEN=24

> > I would like it to look something like this:

> > Aug 28 17:25:17,201.203.72.116,122.19.12.99,22381

> > Any ideas?

> > Thanks!
> > Dan

> Something like this can do it.
>     - Dan

> syslog-csv.awk
> ----------
>     BEGIN { OFS = "," }
>     {
>         month = $1; day = $2; time = $3
>         delete value
>         for (i = 4; i <= NF && $(i) ~ /^IN=/; i++) {}
>         for (j = i; j <= NF; j++)
>             if (split($j,nameValuePair,"=") == 2)
>                 value[nameValuePair[1]] = nameValuePair[2]
>         print month " " day " " time, value["SRC"], value["DST"],
> value["SPT"]
>     }

Perhaps I would make this more general, by not searching for IN as the first
key/value pair, and instead, starting at field 4 (we know 1, 2, & 3 are the
timestamp), and treating any field with an "=" as a k/v pair.  Also, this is
how you'd get just the gShield drop lines.

    BEGIN { OFS = "," }
    /gShield \(default drop\)/ {
        delete value
        for (i = 4; i <= NF; i++) {
            if (split($i,nameValuePair,"=") == 2)
                value[nameValuePair[1]] = nameValuePair[2]
        print $1 " " $2 " " $3,value["SRC"],value["DST"],value["SPT"]
    }

You could do brute-force field parsing, sub()ing out unwanted text, etc.,
but I like the maintainability of field-name access--especially in places I
re-visit a lot, like firewalls.

    - Dan H. (not the OP Dan)



Tue, 15 Feb 2005 10:20:05 GMT  
 
 [ 8 post ] 

 Relevant Pages 

1. Two file sort script Help...

2. Script Help with awk

3. Script Help

4. script help

5. Newbie Scripting help

6. awk script help

7. Two file sort script Help...

8. dang this script...HELP!

9. TCP/IP logon script help needed

10. Guiding Viewpoint from Script: Help Please

11. Vrml &Script help !

12. Linux and Python scripts, help needed

 

 
Powered by phpBB® Forum Software