0

I would like to parse mail log files, which originally look like this:

2018-10-23 23:27:51,026 INFO [ImapServer-4] [ip=10.10.11.50;oip=168.232.24.2;via=10.10.11.50(nginx/1.7.1);ua=Zimbra/8.8.7_GA_1964;cid=127325;] imap - authentication failed for [[email protected]] (invalid password)

for keywords, either: "invalid password" or "authentication failed"

Goal is to sort them by either "OIP" (original IP) or by user MAIL accoount, to see in first case the attacking IP, and in second case, which user account is under attack.

Those should be 2 command lines (will incorporate them into my bash script for easier administration of mail servers).

What I came to is this:

cat /opt/zimbra/log/mailbox.log | grep "invalid password" | awk -F " " '{print $1 $2 $5 $11 }'

...but I am stuck there. I do not know how to double-parse attacker IP from "oid=" and make some "uniq" and "sort" against results. I am trying to get results like this:

Case 1 - display attacking IPs, sorted by number of invalid logins:

37 1.2.3.4 16 3.4.5.6 8 6.7.8.9

Case 2 - display attacked MAIL accounts, sorted by number of invalid logins:

128 [email protected] 37 [email protected] 6 [email protected]

I will then run manually my (above) one-liner to analyze deeper, but for overview can you help me with AWK or cut or sed commands, please?

Improve this question
1
  • Had a quick look: awk 'BEGIN{FS=OFS=";"}/invalid password/{ oips=substr($2,index($2," - ")+5);oip[oips]++} END { for (ip in oip) printf("%s\t%s\n", oip[ip],ip)}' logfile. Give it a try. The email part is easy as well: awk -v RS="[][]" '/@/{email[$1]++} END { for (e in email) print e,email[e]}' logfile Commented Oct 23, 2018 at 22:22

2 Answers 2

Reset to default
1 
$ cat $$ 2018-10-23 23:27:51,026 INFO [ImapServer-4] [ip=10.10.11.50;oip=168.232.24.2;via=10.10.11.50(nginx/1.7.1);ua=Zimbra/8.8.7_GA_1964;cid=127325;] imap - authentication failed for [[email protected]] (invalid password) $ cat $$ | egrep '(authentication failed|invalid password)' | egrep -o "[[a-z]*@[a-z]*\.[a-z]*]" | sort | uniq -c 1 [[email protected]] $ cat $$ | egrep '(authentication failed|invalid password)' | egrep -o "oip=[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*" | sort | uniq -c 1 oip=168.232.24.2 $
Improve this answer
1
  • 1
    This one is almost perfect! I just modified sort to sort -nr so to have descending order. Thank you! Commented Oct 24, 2018 at 1:00
2

Using space or semicolon as the field separator, you can do

$ awk -F '[ ;]' '/authentication failed/ {print $7, $17}' file oip=168.232.24.2 [[email protected]]

Or perl

$ perl -lne '/authentication failed|invalid password/ and /oip=(.+?);.*for \[(.+?@.+?)\]/ and print "$1 $2"' file 168.232.24.2 [email protected]

Use either one of those, then sort | uniq -c the output

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.