If you ever had a requirement to parse huge firewall logs looking for something specific then trust me you will likely need to use awk possibly in combination with other commands such as grep, sort and uniq.


Get your firewall logs somewhere where you can read them. I was parsing netscreen firewall logs so just do some tests with awk to find the column I wanted then construct the command required:

Print all columns:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $0}'

Print specific column:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print $13}'

A random line in the logs looks like the following:

Dec 7 00:00:01 FAKE-NAME: NetScreen device_id=FAKE-NAME [Root]system-notification-00257(traffic): start_time="2017-12-07 00:00:05" duration=4 policy_id=219 service=http proto=6 src zone=DMZ dst zone=DMZ action=Permit sent=2367 rcvd=837 src= dst= src_port=44918 dst_port=80 src-xlated ip= port=44918 dst-xlated ip= port=80 session_id=63816 reason=Close - TCP RST

The following command will return info requested:

grep -e src=<src_ip> <fw_log_file> | grep -e dst=<dst_ip> | awk '{print$13, $23}' | sort | uniq

returns the information required which in my case was the protocol and port plus destination host

service=tcp/port:443 dst=

Thanks to the guys at


Linux Bash Printing Columns using AWK
Tagged on:     

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.