9.awk
Linux system administrators often need to monitor authentication failures in system logs to identify and address security threats. The auth.log
file is one such log that contains valuable information about authentication attempts. In this blog, we will explore seven commands that can help you analyze authentication failure logs.
Sample Input Data
We'll be working with a sample auth.log
file containing various authentication events. Here's a snippet of the sample data:
Command 1: Filtering Authentication Failure Events
The first command filters out lines containing "Failed password" from the auth.log
:
Output (Sample):
This command extracts lines where authentication failures occurred.
Command 2: Extracting Timestamps
The second command extracts the timestamps (date and time) from the authentication failure events:
Output (Sample):
This command helps in understanding when the authentication failures took place.
Command 3: Extracting Relevant Information
The third command extracts key information, including the date, time, source IP, and username of authentication failures for invalid users:
Output (Sample):
This command provides a more focused view of authentication failure events.
Command 4: Detailed Information
The fourth command extracts additional information, such as the date, time, source IP, username, and port number:
Output (Sample):
This command provides more context about authentication failures.
Command 5: Sorting Events
The fifth command counts and sorts unique authentication failure events:
Output (Sample):
This command helps identify the frequency of each unique authentication failure event.
Command 6: Aggregating and Sorting by IP
The sixth command aggregates events by source IP, counts them, and sorts the results:
Output (Sample):
This command helps you identify which source IPs are involved in multiple authentication failures.
Command 7: Geolocating IP Addresses
The seventh command adds geolocation information to source IP addresses using a tool like geoiplookup
:
you may need to install the
geoiplookup
tool usingsudo apt install geoip-bin
before running this command.
Output (Sample):
This command first sort the previous result by the number of authentication failures in descending order. It then iterates through each line and extracts the source IP address. Finally, it uses the geoiplookup
tool to add geolocation information to each source IP address.
Command 8: getting top 10 IP addresses
The eighth command gets the top 10 IP addresses with the most authentication failures:
or using sed command
Command 9: Exporting data
You can separate the output with commas (,) and save the output to your local machine as a CSV file:
Output (Sample):
This command exports the output to a CSV file and your console output will be empty.
Last updated