Introduction

If you ever had a requirement to parse huge firewall logs looking for something specific then trust me you will likely need to use awk possibly in combination with other commands such as grep, sort and uniq.

Solution

Get your firewall logs somewhere where you can read them. I was parsing netscreen firewall logs so just do some tests with awk to find the column I wanted then construct the command required:

Print all columns:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $0}'

Print specific column:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $13}'

A random line in the logs looks like the following:

Dec 7 00:00:01 192.168.0.1 FAKE-NAME: NetScreen device_id=FAKE-NAME [Root]system-notification-00257(traffic): start_time="2017-12-07 00:00:05" duration=4 policy_id=219 service=http proto=6 src zone=DMZ dst zone=DMZ action=Permit sent=2367 rcvd=837 src=192.168.0.14 dst=192.168.1.211 src_port=44918 dst_port=80 src-xlated ip=192.168.0.14 port=44918 dst-xlated ip=192.168.1.211 port=80 session_id=63816 reason=Close - TCP RST

The following command will return info requested:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print$13, $23}' | sort | uniq

returns the information required which in my case was the protocol and port plus destination host

service=tcp/port:443 dst=192.168.0.69

Thanks to the guys at shellhacks.com

https://www.shellhacks.com/awk-print-column-change-field-separator-linux-bash/

 

Linux Bash Printing Columns using AWK
Tagged on:     

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.