Buscar a partir de Día y Hora en ficheros logs (GNU/Linux)
July 28th, 2007 by BusindrePara buscar en los logs de sistemas GNU/Linux muchas veces es de interés filtrar la salida a partir de cierto día / hora, para esto podemos hacer uso de estos útiles y simples comandos basados en la herramienta "awk" que vemos en los siguientes ejemplos:
Tomando como ejemplo base esta salida de "/var/log/secure"
# cat /var/log/secure
...
Jul 24 01:18:42 busipc su[5127]: Authentication failed for root
Jul 24 01:18:42 busipc su[5127]: - pts/0 busi-root
Jul 24 01:18:52 busipc su[5128]: + pts/0 busi-root
Jul 24 01:56:41 busipc su[5444]: + pts/1 busi-root
Jul 24 06:08:34 busipc su[5789]: + pts/2 busi-root
Jul 25 00:07:00 busipc su[6820]: + pts/7 busi-root
Jul 25 05:57:22 busipc su[7279]: + pts/7 busi-root
Jul 25 16:53:32 busipc login[5217]: invalid password for `busi' on `tty1'
Jul 25 16:53:43 busipc login[5217]: invalid password for `root' on `tty1'
Jul 25 16:53:58 busipc login[5217]: ROOT LOGIN on `tty1'
Jul 25 23:59:37 busipc login[5365]: invalid password for `busi' on `tty1'
Jul 25 23:59:45 busipc login[5365]: invalid password for `busi' on `tty1'
Jul 26 00:01:17 busipc su[5444]: + pts/1 busi-root
Jul 26 00:30:42 busipc su[5581]: + pts/2 busi-root
Jul 26 00:47:01 busipc su[5711]: + pts/4 busi-root
Jul 26 00:52:03 busipc su[5755]: Authentication failed for root
Jul 26 00:52:03 busipc su[5755]: - pts/3 busi-root
Jul 26 00:52:08 busipc su[5756]: + pts/3 busi-root
Jul 26 01:17:06 busipc su[5901]: + pts/1 busi-root
Jul 26 01:32:23 busipc su[6021]: + pts/5 busi-root
Jul 26 02:09:03 busipc su[6420]: Authentication failed for root
Jul 26 02:09:03 busipc su[6420]: - pts/6 busi-root
Jul 26 02:09:08 busipc su[6421]: + pts/6 busi-root
Jul 26 03:47:29 busipc su[7433]: + pts/6 root-root
Jul 26 17:46:32 busipc su[5480]: + pts/0 busi-root
Jul 27 01:19:12 busipc su[7255]: + pts/1 busi-root
Jul 27 02:48:31 busipc su[5087]: + pts/0 busi-root
Jul 27 03:48:22 busipc su[10293]: + pts/1 busi-root
Jul 27 03:50:52 busipc su[5128]: + tty1 busi-root
Jul 27 03:52:18 busipc su[5181]: + pts/0 busi-root
Jul 27 07:06:40 busipc su[5507]: + tty1 busi-root
Jul 28 01:04:17 busipc su[5300]: + pts/0 busi-root
Jul 28 02:28:57 busipc su[5746]: + pts/3 busi-root
Veamos que comandos nos pueden facilitar ciertas búsquedas...
Buscar a partir de cierta Hora:
Ahora queremos sacar de dicho log, todas los logs a partir de las 03:48:20 de todos los días del fichero:
# cat /var/log/secure | awk '{ if ($3>"03:48:20") print $0}'
Jul 24 06:08:34 busipc su[5789]: + pts/2 busi-root
Jul 25 05:57:22 busipc su[7279]: + pts/7 busi-root
Jul 25 16:53:32 busipc login[5217]: invalid password for `busi' on `tty1'
Jul 25 16:53:43 busipc login[5217]: invalid password for `root' on `tty1'
Jul 25 16:53:58 busipc login[5217]: ROOT LOGIN on `tty1'
Jul 25 23:59:37 busipc login[5365]: invalid password for `busi' on `tty1'
Jul 25 23:59:45 busipc login[5365]: invalid password for `busi' on `tty1'
Jul 26 17:46:32 busipc su[5480]: + pts/0 busi-root
Jul 27 03:48:22 busipc su[10293]: + pts/1 busi-root
Jul 27 03:50:52 busipc su[5128]: + tty1 busi-root
Jul 27 03:52:18 busipc su[5181]: + pts/0 busi-root
Jul 27 07:06:40 busipc su[5507]: + tty1 busi-root
Buscar a partir de cierto Día:
Ahora queremos sacar de dicho log, todas los logs a partir del día 25 (No inclusive):
# cat /var/log/secure | awk '{ if ($2>"25") print $0}'
Jul 26 00:01:17 busipc su[5444]: + pts/1 busi-root
Jul 26 00:30:42 busipc su[5581]: + pts/2 busi-root
Jul 26 00:47:01 busipc su[5711]: + pts/4 busi-root
Jul 26 00:52:03 busipc su[5755]: Authentication failed for root
Jul 26 00:52:03 busipc su[5755]: - pts/3 busi-root
Jul 26 00:52:08 busipc su[5756]: + pts/3 busi-root
Jul 26 01:17:06 busipc su[5901]: + pts/1 busi-root
Jul 26 01:32:23 busipc su[6021]: + pts/5 busi-root
Jul 26 02:09:03 busipc su[6420]: Authentication failed for root
Jul 26 02:09:03 busipc su[6420]: - pts/6 busi-root
Jul 26 02:09:08 busipc su[6421]: + pts/6 busi-root
Jul 26 03:47:29 busipc su[7433]: + pts/6 root-root
Jul 26 17:46:32 busipc su[5480]: + pts/0 busi-root
Jul 27 01:19:12 busipc su[7255]: + pts/1 busi-root
Jul 27 02:48:31 busipc su[5087]: + pts/0 busi-root
Jul 27 03:48:22 busipc su[10293]: + pts/1 busi-root
Jul 27 03:50:52 busipc su[5128]: + tty1 busi-root
Jul 27 03:52:18 busipc su[5181]: + pts/0 busi-root
Jul 27 07:06:40 busipc su[5507]: + tty1 busi-root
Jul 28 01:04:17 busipc su[5300]: + pts/0 busi-root
Jul 28 02:28:57 busipc su[5746]: + pts/3 busi-root
NOTA: Si queremos sacar a partir del día "X" pero incluyendo el día X en el listado debemos restarle uno, como vemos en el ejemplo.
Buscar a partir de X hora en un día concreto:
Ahora queremos sacar de dicho log, todas los logs del día 26 a partir de la hora 01:32:20 (No inclusive):
# cat /var/log/secure | awk '{ if ($2>"25") print $0}' | awk '{ if ($3>"01:32:20") print $0}'
Jul 26 01:32:23 busipc su[6021]: + pts/5 busi-root
Jul 26 02:09:03 busipc su[6420]: Authentication failed for root
Jul 26 02:09:03 busipc su[6420]: - pts/6 busi-root
Jul 26 02:09:08 busipc su[6421]: + pts/6 busi-root
Jul 26 03:47:29 busipc su[7433]: + pts/6 root-root
Jul 26 17:46:32 busipc su[5480]: + pts/0 busi-root
Jul 27 02:48:31 busipc su[5087]: + pts/0 busi-root
Jul 27 03:48:22 busipc su[10293]: + pts/1 busi-root
Jul 27 03:50:52 busipc su[5128]: + tty1 busi-root
Jul 27 03:52:18 busipc su[5181]: + pts/0 busi-root
Jul 27 07:06:40 busipc su[5507]: + tty1 busi-root
Jul 28 02:28:57 busipc su[5746]: + pts/3 busi-root
Posted in Programas |
