How about trying grep "DPT=22 " /var/log/messages.1 > somefile to see if that works. Alternatively you might try egrep to see if it can handle the \b for a space. Alex On Mon, 15 Dec 2003, GDHough wrote:
Please, there must be an easier way...
I am trying to automate my self induced weekly ADMIN duties. I mull through my logs on Sunday morning after rotation. They have gotten pretty big since the end of August so I sought a means to parse some files for information without having to scroll through 20,000 lines.
One nagging problem for me is with grep. For example, if I:
grep DPT=22 /var/log/messages.1 | cat > somefile
somefile would contain not only DPT=22, but also all 220, 2276, 22344 or any port 22xxx. I tried the symbols \>, \b, \B thinking they would match the emptyness at the end of DPT=22 but they did not work for me. Laugh if you must but my solution to this dilema was to get DPT=22 by elimination using the invert switch -v like so:
read DIRPATH mkdir $DIRPATH/DPT grep DPT=22 $DIRPATH/LOG | cat > $DIRPATH/DPT/A grep -v DPT=220 $DIRPATH/DPT/A | cat > $DIRPATH/DPT/B grep -v DPT=221 $DIRPATH/DPT/B | cat > $DIRPATH/DPT/C grep -v DPT=222 $DIRPATH/DPT/C | cat > $DIRPATH/DPT/D grep -v DPT=223 $DIRPATH/DPT/D | cat > $DIRPATH/DPT/E grep -v DPT=224 $DIRPATH/DPT/E | cat > $DIRPATH/DPT/F grep -v DPT=225 $DIRPATH/DPT/F | cat > $DIRPATH/DPT/G grep -v DPT=226 $DIRPATH/DPT/G | cat > $DIRPATH/DPT/H grep -v DPT=227 $DIRPATH/DPT/H | cat > $DIRPATH/DPT/I grep -v DPT=228 $DIRPATH/DPT/I | cat > $DIRPATH/DPT/J grep -v DPT=229 $DIRPATH/DPT/J | cat > $DIRPATH/DPT/dp22 echo "DPT=22" grep -c farm $DIRPATH/DPT/dp22
I search for about 40 ports both source and destination. Most high numbered ports don't require the elimination method like 8080 because 80800 doesn't exist.
After I get the common ports catalogued, I hope to use diff to find what's left-over and flag those lines with same source and destination ports. Can I simplify the above and thus remove much of the sleep in the script?
Shouldn't grep DPT=22\> work? That's what I'm seeing in the man page.
Thanks, farmer6re9 -- Eating Crow is better with MyCrowSauce
-- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
-- The Toronto Linux Users Group. Meetings: http://tlug.ss.org TLUG requests: Linux topics, No HTML, wrap text below 80 columns How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml