Mailing List CGatePro@mail.stalker.com Message #105670
From: Juergen P. [core] <juergenp@core.at>
Subject: Re: Using AWK on unix flavour to extract log information
Date: Tue, 02 Jun 2015 15:19:51 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pronto! 6.1
you can modify the file /var/CommuniGate/Settings/BlackListed.data to have the ip's included into the Blacklist.
this can be done automatically. If you are runnung a cluster you must update that file on each node.

i also use a small perl-script to check for "blacklisted" ip's by some RBL-Servers in the logs - adding those ips reduces rbl-requests.
the blacklist should be maintanied periodically. 

(i prefer the brutal method - once on the list - never removed until i'll receive a request form a customer)

kr.

Juergen


On Tue, 2 Jun 2015 14:03:55 +0100
 "David Brookfield" <david.brookfield@city-support.co.uk> wrote:
 Please ignore my last PEBCAK


 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of David Brookfield
 Sent: 02 June 2015 13:58
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 Stupid question I guess, but what is AWS? I do pretty much exactly the same from a filter with  "failed to open" in it, I do this  on the day's log file, I then put that in Excel and extract the IPs, it's really quick but wondering if I'm missing a trick here.

 -----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Alexander Ryskin
 Sent: 02 June 2015 13:26
 To: CommuniGate Pro Discussions
 Subject: Re: Using AWK on unix flavour to extract log information

 awk '$4 == "failed" 
 {sub(/.*\[/,"",$3);sub(/\]./,"",$3);store[$3]=1}END{for (s in store) print s}'

 Alex

 On 06/02/2015 07:56 AM, Martin Miller wrote:
 I want to extract all Failed to entries to pull the IP so I can deny.

 Why? Its a little server and am tired of the continuous probes, and 
 there is zero chance of legitimates being caught up in the fails.

 Here is a typical log row:

 23:31:51.485 1 SMTPI-002310([202.83.25.95]) failed to open
 ACCOUNT(corp) for [202.83.25.95]:52281->[192.168.1.67]:25. Error 
 Code=account is routed to NULL

 Can anyone suggest an awk statement to parse the above to get
 202.83.25.95 Ideally using uniq to return unique list.

 --
 MJM


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to 


 #############################################################
 This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
 To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
 To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
 Send administrative queries to  <CGatePro-request@mail.stalker.com>

--
Best Regards

Juergen Paulhart

VoIP / SIP / IM / E-Mail : juergenp@core.at
TEL: +43 676 30 592 44
VoIP Support:  +43 1 236 46 60 600
***  IT Security, Cloud based Communication Technologies & Hosted Unified 
Communications ***
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster