Remove Characters with awk

Question

I have a script that I'm working on to block IP address of failed login's on an SFTP server. I'm also using Centrify to hook the server into AD, and I've notice that Centrify logs users access differently than normal. I'm able to pull up the IP address of failed logins with the following one liner:

(grep sshd /var/log/messages | grep "AUTH_FAIL_PASSWD" | awk '{print $18}' | sort | uniq -c | awk '{ if ( $1 > 10) print $2 }')

With Centrify this gives the output of:

client=0.0.0.0

What I need to do remove "client=" so that I can pass just the IP address to the rest of the script.

Thanks for any help!

Answer 1

Let's start be getting rid of all the useless pipes in your command line. Change the whole thing to just this one awk command:

awk '/sshd/&&/AUTH_FAIL_PASSWD/{cnt[$18]++} END{for (ip in cnt) if (cnt[ip] > 10) print ip}' /var/log/messages

Now - update your question to include some sample input (contents of /var/log/messages) and expected output and tell us in terms of the text in those files what it is you're trying to do.

Oh, I think I get it. This might be what you want:

awk '/sshd/&&/AUTH_FAIL_PASSWD/{sub(/.*=/,"",$18); cnt[$18]++} END{for (ip in cnt) if (cnt[ip] > 10) print ip}' /var/log/messages

Answer 2

You can just dump this back to awk:

(grep sshd /var/log/messages | grep "AUTH_FAIL_PASSWD" | awk '{print $18}' | sort | uniq -c | awk '{ if ( $1 > 10) print $2 }' | awk -F"=" '{ print $2 }')

This last awk splits the string by an equals sign as the delimiter and prints the second element.

Answer 3

You didn't tell, but if the ip is $18

... | awk '{if(split($18,a,/=/)==2) print a[2]; else print a[1] }' | ...

should do what you want

Even simpler

... | awk '{sub(/.*=/,"",$18); print $18}'  | ...

Further, I like pipes, in many cases they show clearly your intentions, but maybe it is worth accepting at least part of what other answers suggested

 awk '/sshd/&&/AUTH_FAIL_PASSWD/ {
      sub(/.*-/,"",$18; print $18}' /var/log/messages | sort | ...