* [gentoo-user] Potential Supid question re Grep
@ 2005-07-07 18:18 Michael Thompson
2005-07-07 18:32 ` A. Khattri
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Michael Thompson @ 2005-07-07 18:18 UTC (permalink / raw
To: gentoo-user
I am trying to extract information in my logs for a abuse department and am
using the code:
Code:
zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
The logs are standard: messages.??.gz
However, when I examine the output, it starts on the 1st may, however the logs
contain details from the 25th Febuary. What am I doing wrong?
--
Mike
To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.
GnuGPG KeyID:=FC0D8D9A
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 18:18 [gentoo-user] Potential Supid question re Grep Michael Thompson
@ 2005-07-07 18:32 ` A. Khattri
2005-07-07 18:47 ` Michael Thompson
2005-07-07 22:54 ` Richard Fish
2005-07-08 23:30 ` Toby Cubitt
2 siblings, 1 reply; 7+ messages in thread
From: A. Khattri @ 2005-07-07 18:32 UTC (permalink / raw
To: gentoo-user
On Thu, 7 Jul 2005, Michael Thompson wrote:
> I am trying to extract information in my logs for a abuse department and am
> using the code:
>
> Code:
>
> zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
>
> The logs are standard: messages.??.gz
>
> However, when I examine the output, it starts on the 1st may, however the logs
> contain details from the 25th Febuary. What am I doing wrong?
Show us some sample log lines.
--
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 18:32 ` A. Khattri
@ 2005-07-07 18:47 ` Michael Thompson
2005-07-07 19:19 ` A. Khattri
0 siblings, 1 reply; 7+ messages in thread
From: Michael Thompson @ 2005-07-07 18:47 UTC (permalink / raw
To: gentoo-user
On Thursday 07 July 2005 19:32, A. Khattri wrote:
> On Thu, 7 Jul 2005, Michael Thompson wrote:
> > I am trying to extract information in my logs for a abuse department and
> > am using the code:
> >
> > Code:
> >
> > zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
> >
> > The logs are standard: messages.??.gz
> >
> > However, when I examine the output, it starts on the 1st may, however the
> > logs contain details from the 25th Febuary. What am I doing wrong?
>
> Show us some sample log lines.
Apr 24 06:39:51 polaris INPUT BLOCKED: IN=eth1 OUT=
MAC=00:09:5b:1f:16:42:06:05:5d:9f:a3:74:08:00 SRC=212.56.68.108
DST=212.159.25.17 LEN=71 TOS=0x00 PREC=0xA0 TTL=58 ID=0 DF PROTO=UDP
SPT=46245 DPT=161 LEN=51
--
Mike
To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.
GnuGPG KeyID:=FC0D8D9A
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 18:47 ` Michael Thompson
@ 2005-07-07 19:19 ` A. Khattri
0 siblings, 0 replies; 7+ messages in thread
From: A. Khattri @ 2005-07-07 19:19 UTC (permalink / raw
To: gentoo-user
On Thu, 7 Jul 2005, Michael Thompson wrote:
> Apr 24 06:39:51 polaris INPUT BLOCKED: IN=eth1 OUT=
> MAC=00:09:5b:1f:16:42:06:05:5d:9f:a3:74:08:00 SRC=212.56.68.108
> DST=212.159.25.17 LEN=71 TOS=0x00 PREC=0xA0 TTL=58 ID=0 DF PROTO=UDP
> SPT=46245 DPT=161 LEN=51
Looks OK and grep should find it. Do you see that line go past when you
do:
zcat /var/log/messages.*?.gz | grep 212.56.68.108 | more
--
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 18:18 [gentoo-user] Potential Supid question re Grep Michael Thompson
2005-07-07 18:32 ` A. Khattri
@ 2005-07-07 22:54 ` Richard Fish
2005-07-08 2:04 ` Nick Rout
2005-07-08 23:30 ` Toby Cubitt
2 siblings, 1 reply; 7+ messages in thread
From: Richard Fish @ 2005-07-07 22:54 UTC (permalink / raw
To: gentoo-user
Michael Thompson wrote:
>I am trying to extract information in my logs for a abuse department and am
>using the code:
>
>Code:
>
>zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
>
>The logs are standard: messages.??.gz
>
>However, when I examine the output, it starts on the 1st may, however the logs
>contain details from the 25th Febuary. What am I doing wrong?
>
>
>
Are you *sure* the February information is not there?? I think this
probably has nothing to do with the grep command, but more with the
shell expansion. When I do "ls -l /var/log/messages.*?.gz", I get the
following:
-rw------- 1 root root 696588 Feb 21 09:00 /var/log/messages.1.gz
-rw------- 1 root root 795675 Feb 14 15:40 /var/log/messages.2.gz
-rw------- 1 root root 491964 Feb 6 19:00 /var/log/messages.3.gz
-rw------- 1 root root 482189 Jan 31 05:10 /var/log/messages.4.gz
Notice that the dates are in reverse order. If I were to cat those
together, the oldest information would be at the end. I think you want:
zcat `ls -rt /var/log/messages.*?.gz` | grep 212.56.68.108 >>
/home/mike/abuse1
-Richard
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 22:54 ` Richard Fish
@ 2005-07-08 2:04 ` Nick Rout
0 siblings, 0 replies; 7+ messages in thread
From: Nick Rout @ 2005-07-08 2:04 UTC (permalink / raw
To: gentoo-user
On Fri, 08 Jul 2005 00:54:46 +0200
Richard Fish wrote:
> Michael Thompson wrote:
>
> >I am trying to extract information in my logs for a abuse department and am
> >using the code:
> >
> >Code:
> >
> >zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
> >
> >The logs are standard: messages.??.gz
> >
> >However, when I examine the output, it starts on the 1st may, however the logs
> >contain details from the 25th Febuary. What am I doing wrong?
> >
> >
> >
>
> Are you *sure* the February information is not there?? I think this
> probably has nothing to do with the grep command, but more with the
> shell expansion. When I do "ls -l /var/log/messages.*?.gz", I get the
> following:
>
> -rw------- 1 root root 696588 Feb 21 09:00 /var/log/messages.1.gz
> -rw------- 1 root root 795675 Feb 14 15:40 /var/log/messages.2.gz
> -rw------- 1 root root 491964 Feb 6 19:00 /var/log/messages.3.gz
> -rw------- 1 root root 482189 Jan 31 05:10 /var/log/messages.4.gz
>
> Notice that the dates are in reverse order. If I were to cat those
> together, the oldest information would be at the end. I think you want:
>
> zcat `ls -rt /var/log/messages.*?.gz` | grep 212.56.68.108 >>
> /home/mike/abuse1
another potential problem is that if you have 10 or more rotated log
files you will get them in the order:
/var/log/messages.1.gz
/var/log/messages.10.gz
/var/log/messages.2.gz
>
> -Richard
>
> --
> gentoo-user@gentoo.org mailing list
--
Nick Rout
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-user] Potential Supid question re Grep
2005-07-07 18:18 [gentoo-user] Potential Supid question re Grep Michael Thompson
2005-07-07 18:32 ` A. Khattri
2005-07-07 22:54 ` Richard Fish
@ 2005-07-08 23:30 ` Toby Cubitt
2 siblings, 0 replies; 7+ messages in thread
From: Toby Cubitt @ 2005-07-08 23:30 UTC (permalink / raw
To: gentoo-user
On Thu, Jul 07, 2005 at 07:18:26PM +0100, Michael Thompson wrote:
> I am trying to extract information in my logs for a abuse department and am
> using the code:
>
> Code:
>
> zcat /var/log/messages.*?.gz | grep 212.56.68.108 >> /home/mike/abuse1
>
> The logs are standard: messages.??.gz
>
> However, when I examine the output, it starts on the 1st may, however the logs
> contain details from the 25th Febuary. What am I doing wrong?
This isn't the cause of your problem (which has probably been solved by some
of the other posts), but don't forget that grep matches regexps, not strings,
and "." in a regexp matches any single character. Therefore your code will match
"212a56b68c108" (for example), as well as the ip you probably intended to match.
To make sure you only match the ip, you'll need to escape the .s and surround
the regexp by quotes:
grep '212\.56\.68\.108'
I'm probably telling you things you already know ;-) And it probably won't
matter much anyway, but I thought I'd mention it in case it helps someone.
Toby
--
Quantum Information Theory group
Max Planck Institute for Quantum Optics
Garching, Germany
email: toby@dr-qubit.org
web: www.dr-qubit.org
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-07-08 23:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-07 18:18 [gentoo-user] Potential Supid question re Grep Michael Thompson
2005-07-07 18:32 ` A. Khattri
2005-07-07 18:47 ` Michael Thompson
2005-07-07 19:19 ` A. Khattri
2005-07-07 22:54 ` Richard Fish
2005-07-08 2:04 ` Nick Rout
2005-07-08 23:30 ` Toby Cubitt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox