Mailing List CGatePro@mail.stalker.com Message #105673
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: Using AWK on unix flavour to extract log information
Date: Tue, 02 Jun 2015 11:54:22 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v5.3.15
I wish I had the dedication to learn AWK like that.  I would have done something like this:

grep -E 'SMTPI.*failed to open' <LOGFILENAME> | awk -F'[][]' '{print $4}' | sort | uniq -c | sort -rn

The sorting/uniq'ing at the end is optional.  The awk command prints the 4th field as determined by the delimiters defined with the -F flag.  The delimiters are defined by the character class '[][]', which is the characters ']' and '[' listed in the character class container '[...]'.  That is the confusing part.  Each of those square brackets being a delimiter results in the 4th field being the IP address you are looking for.  The sort/uniq commands then allow you to quickly see who the worst offenders are.

--

Jeff Wark
Tbaytel Internet
On Tue, 02 Jun 2015 08:25:42 -0400
 Alexander Ryskin <arys@lle.rochester.edu> wrote:
>> awk '$4 == "failed" {sub(/.*\[/,"",$3);sub(/\]./,"",$3);store[$3]=1}END{for (s in store) print s}'
>>
>> Alex
>>
>> On 06/02/2015 07:56 AM, Martin Miller wrote:
>>> I want to extract all Failed to entries to pull the IP so I can deny.
>>>
>>> Why? Its a little server and am tired of the continuous probes, and there is zero chance of legitimates being caught up in the
>>>fails.
>>>
>>> Here is a typical log row:
>>>
>>> 23:31:51.485 1 SMTPI-002310([202.83.25.95]) failed to open ACCOUNT(corp) for [202.83.25.95]:52281->[192.168.1.67]:25. Error
>>>Code=account is routed to NULL
>>>
>>> Can anyone suggest an awk statement to parse the above to get 202.83.25.95
>>> Ideally using uniq to return unique list.
>>>
>>> --
>>> MJM
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>  the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster