使用 awk 分析日志文件
[英]analyze log files using awk
问题描述
Hello there I have the following cut of a log file below:
您好,我在下面有以下日志文件的剪辑:
Mon, 22 Mar 2020 13:15:39 +0200|185.34.66.225|user_1| - |user logged in| -
Mon, 22 Mar 2020 13:15:39 +0200|185.34.66.225|user_1| - |user changed password| -
Mon, 22 Mar 2020 13:15:39 +0200|185.34.66.225|user_1| - |user logged off| -
Mon, 22 Mar 2020 13:15:42 +0200|185.34.66.225|user_2| - |user logged in| -
Mon, 22 Mar 2020 13:15:40 +0200|185.34.66.215|user_3| - |user logged in| -
Mon, 22 Mar 2020 13:15:49 +0200|185.34.66.215|user_3| - |user changed password| -
Mon, 22 Mar 2020 13:15:49 +0200|185.34.66.215|user_3| - |user logged off| -
Mon, 22 Mar 2020 13:15:59 +0200|185.34.66.205|user_4| - |user logged in| -
Mon, 22 Mar 2020 13:15:59 +0200|185.34.66.205|user_4| - |user logged in| -
Mon, 22 Mar 2020 13:15:59 +0200|185.34.66.205|user_4| - |user changed password| -
Mon, 22 Mar 2020 13:15:59 +0200|185.34.66.205|user_4| - |user logged off| -
Mon, 22 Mar 2020 13:17:50 +0200|185.34.66.205|user_5| - |user logged in| -
Mon, 22 Mar 2020 13:17:50 +0200|185.34.66.205|user_5| - |user changed password| -
Mon, 22 Mar 2020 13:17:50 +0200|185.34.66.205|user_5| - |user changed profile| -
Mon, 22 Mar 2020 13:17:50 +0200|185.34.66.205|user_5| - |user logged off| -
Mon, 22 Mar 2020 15:19:19 +0200|178.56.66.225|user_6| - |user logged in| -
Mon, 22 Mar 2020 15:19:19 +0200|178.56.66.225|user_6| - |user changed password| -
Mon, 22 Mar 2020 15:19:19 +0200|178.56.66.225|user_6| - |user logged off| -
Mon, 22 Mar 2020 13:20:42 +0200|185.34.67.225|user_7| - |user logged in| -
the main idea is to get a list of bots who log in, change password, log off in the exact same second & without doing any other action between those 3 actions: I was able to achieve what I want using the following command:主要思想是获取在完全相同的第二秒内登录、更改密码、注销并且在这 3 个操作之间不执行任何其他操作的机器人列表:我能够使用以下命令实现我想要的:
cat /path/to/file | awk '{split($0,a,"|"); print a[3],a[1],a[5]}' | awk '{ print $6,$1,$8,$9,$10 }' | grep -A 1 -B 1 "user changed password" | awk 'seen[$1]++ ==2' | grep "user logged off" | awk '{ print $2}'
Output: Output:
user_1
user_4
user_6
however I would need experts help to shorten my code & make it work as fast as possible in a huge log files但是我需要专家的帮助来缩短我的代码并使其在巨大的日志文件中尽可能快地工作
any help would be appreciated任何帮助,将不胜感激
2 个解决方案
解决方案1
0 已采纳 2021-12-24 15:26:13
Do everything in one awk call.在一个awk调用中完成所有操作。
awk -F'|' '
BEGIN {
a[0]="user logged in"
a[1]="user changed password"
a[2]="user logged off"
}
lastuser!= $3 || lasttime!=$1 || a[expected]!=$5 {
lasttime=$1
lastuser=$3
expected=(a[0]==$5?1:0)
next
}
expected++==2 {
print $3
}' path_to_file
解决方案2
0 2021-12-27 16:01:21
For your scenario, I think this will work pretty well对于您的情况,我认为这会很好
awk -F\| '{ vtAll[$3";"$1]++; if($5 ~ /user logged in|user logged off|user changed password/) vt[$3";"$1]++; } END { for (i in vt) if(vt[i] == 3 && vtAll[i] == 3) print i }' inputFile
To share my logic:分享我的逻辑:
- I created two arrays, having time and user as index我创建了两个 arrays,以时间和用户为索引
- In vtAll, I save how many actions that user has made on that exact time在 vtAll 中,我保存了用户在该确切时间执行了多少操作
- In vt, I check if the action is login, logoff or change pass.在 vt 中,我检查操作是登录、注销还是更改通行证。 If so, I increment it as well如果是这样,我也会增加它
- After the whole file was read, I check if there were three actions on both arrays.读取整个文件后,我检查 arrays 上是否有三个操作。 If there is, it means the user logged in, changed pass and logged off at the same time, and nothing else was made by that user.如果有,则表示用户同时登录、更改密码和注销,并且该用户没有进行任何其他操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.