我有一个脚本,我打印了一个ip失败了多少次,以及这个IP最后一次尝试的日期,它看起来如下。
#!/bin/bash
searchString=$1
file=$2
countLines()
{
declare -A ipCount
declare -A lastDate
cnt=0
while read line;
do
((cnt+=1))
ipaddr=$( echo "$line" | grep -o -E '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' )
lastDate[$ipaddr]=$( echo "$line" | grep -o -E '[a-zA-Z][a-zA-Z][a-zA-Z]\ [0-3][0-9]\ [0-2][0-9]\:[0-2][2-9]\:[0-2][2-9]' )
((ipCount[$ipaddr]+=1))
done
printf "%-18s %-10s %s\n" "IP" "Count" "lastDate"
echo "-------------------------------------------------"
for ip in ${!ipCount[*]}
do
printf "%-18s %-10s %s\n" "$ip" "${ipCount[$ip]}" "${lastDate[$ip]}"
done | sort
echo "--------------------------------------------------"
echo "Count: $cnt"
}
grep "$searchString" $file | countLines我试过的文件看起来像这样,但更大
May 16 06:41:38 aprs sshd[25951]: Failed password for root from 137.241.229.226 port 2008 ssh2
May 16 06:41:40 aprs sshd[25951]: Failed password for root from 137.241.229.226 port 2008 ssh2
May 16 06:41:43 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2
May 16 06:41:46 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2
May 16 06:41:48 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2我得到的是
IP Tries LastDate
-----------------------------------------------
37.141.229.226 205
137.241.229.226 705 May 16 07:08:24
-----------------------------------------------
Count: 910正如你所看到的,我只在其中一个IP上得到'lastDate‘,这也发生在大日志文件上,我想这很简单,但是我不知道为什么,你能帮我吗?
我运行的脚本如下: bash scriptname.sh“root密码失败”logFile
发布于 2014-05-25 17:47:41
问题似乎在lastDate的正则表达式中。取代:
lastDate[$ipaddr]=$( echo "$line" | grep -o -E '[a-zA-Z][a-zA-Z][a-zA-Z]\ [0-3][0-9]\ [0-2][0-9]\:[0-2][2-9]\:[0-2][2-9]' )通过以下方式:
lastDate[$ipaddr]=$( echo "$line" | grep -o -E '[a-zA-Z][a-zA-Z][a-zA-Z] [0-3][0-9] [0-2][0-9]:[0-5][0-9]:[0-5][0-9]' )关键部分是一小时的比赛:分钟:第二。原版有[0-2][0-9]\:[0-2][2-9]\:[0-2][2-9]。这限制了比赛从小时顶到半小时的时间,也限制了比赛仅限于每分钟的前半部分。更普遍的替代方法是0-2][0-9]:[0-5][0-9]:[0-5][0-9]
此外,空格和冒号不是grep的活动字符。因此,他们不需要逃脱。
https://stackoverflow.com/questions/23857303
复制相似问题