Introduction
If you ever had a requirement to parse huge firewall logs looking for something specific then trust me you will likely need to use awk possibly in combination with other commands such as grep, sort and uniq.
Solution
Get your firewall logs somewhere where you can read them. I was parsing netscreen firewall logs so just do some tests with awk to find the column I wanted then construct the command required:
Print all columns:
grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $0}'
Print specific column:
grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $13}'
A random line in the logs looks like the following:
Dec 7 00:00:01 192.168.0.1 FAKE-NAME: NetScreen device_id=FAKE-NAME [Root]system-notification-00257(traffic): start_time="2017-12-07 00:00:05" duration=4 policy_id=219 service=http proto=6 src zone=DMZ dst zone=DMZ action=Permit sent=2367 rcvd=837 src=192.168.0.14 dst=192.168.1.211 src_port=44918 dst_port=80 src-xlated ip=192.168.0.14 port=44918 dst-xlated ip=192.168.1.211 port=80 session_id=63816 reason=Close - TCP RST
The following command will return info requested:
grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print$13, $23}' | sort | uniq
returns the information required which in my case was the protocol and port plus destination host
service=tcp/port:443 dst=192.168.0.69
Thanks to the guys at shellhacks.com
https://www.shellhacks.com/awk-print-column-change-field-separator-linux-bash/
