# /var/log/messages parser



## tgo (Jul 5, 2005)

Here is a little script to parse /var/log/messages. If you run sshd on port 22 you know how many times you get bruteforced by zombies and this should make parsing the logs easier. 

The code should be pretty easy to read and understand so i didnt comment anything. 

Usage:

```
[email protected]:/home/tgo/perl# perl log.pl
------- Report for 127.0.0.1 -----------
Total Entries: 1
Accepted Logins: 0
Failed Logins: 1
------- Report for 192.168.1.100 -----------
Total Entries: 6
Accepted Logins: 6
Failed Logins: 0
[email protected]:/home/tgo/perl#
```
Code:

```
#!/usr/bin/perl

# /var/log/messages parser coded by tgo
# http://www.anomalous-security.org

use warnings;

open(F,"/var/log/messages") or die($!);

my %ips;

while(<F>)
{
	if ($_ =~ /(\d+\.\d+\.\d+\.\d+)/)
	{
		$ip = $1;	
	
		if ($_ =~ /Accepted/)
		{
		$action = "accepted";
		}	
		elsif($_ =~ /Failed password/)
		{
		$action = "failed";		
		}
		else
		{
		next;
		}

		if (defined($ips{$ip}{$action}))
		{
		$ips{$ip}{$action} = $ips{$ip}{$action} + 1;
		}
		else
		{
		$ips{$ip}{$action} = 1;
		}				
	}
}

close(F);

for my $ip ( keys %ips )
{
	$ips{$ip}{'accepted'} = 0 unless (defined($ips{$ip}{'accepted'}));
	$ips{$ip}{'failed'} = 0 unless (defined($ips{$ip}{'failed'}));

	$total = $ips{$ip}{'accepted'} + $ips{$ip}{'failed'};

	print "------- Report for $ip -----------\n";
	print "Total Entries: " . $total . "\n";
	print "Accepted Logins: " . $ips{$ip}{'accepted'} . "\n";
	print "Failed Logins: " . $ips{$ip}{'failed'} . "\n";
}
```


----------



## LoneWolf071 (Nov 10, 2004)

they Make, At Least For Debian, An Auto-script that will do that for you, it's called log rotate... check it out... it's really good software...


----------

