mc68020@gilsys.UUCP (Thomas J Keller) (08/05/87)
I am attempting to write a small awk script which will scan my sulog file
for attempts to su by any but a small list of user names. I can't seem to get
the thing to work.
Let's say I want to output any line from the sulog that indicates that a
user other than root, news or me attempted to su. The format of the sulog
records is:
SU 08/05 09:30 + tty02 msi-root
the 6th field (msi-root) is the field I want to match to. The basic
pattern to be matched would be any of [root, news, me] with an explicit "-"
and then *ANY* string of chars after that. I have tried:
$6 !~ /[mnr][ceo][6wo][8st]*\-*/ { printf "%s\n", $0 }
and:
$6 !~ /me/ && $6 !~ /root/ && $6 !~ /news/
with no success. Naturally, the WONDERFUL error messages from awk are
of immeasurable assistance in locating the problem. All awk tells me is that
there is a syntax problem (and the classic skydiving message, of course (-:).
Please send assistance! Email would probably be best. I can summarize to
the net if there is interest. Thanks in advance.
(oh, yeah; for the record: I have **READ** every FM (fu***ng manual) I have
access to. All RTFM comments to /dev/null, thank you)
--
Tom : The conservatives always grouse about "Law & Order" when the liberals
Keller : break the law...when the Reagan Admin. does it, it's PATRIOTISM!
UUCP : {ihnp4,ames,qantel,sun,amdahl,lll-crg,pyramid}!ptsfa!gilsys!mc68020
BITNET : ptsfa!gilsys!mc68020@ames.arpamwm@eris.BERKELEY.EDU (Mike (My watch has windows) Meyer) (08/07/87)
In article <1092@gilsys.UUCP> mc68020@gilsys.UUCP (Thomas J Keller) writes:
< I am attempting to write a small awk script which will scan my sulog file
<for attempts to su by any but a small list of user names. I can't seem to get
<the thing to work.
You're using the wrong tool. This is clearly a job for sed (sounds of
phone booth being shreded, and a program coming out of it's clothes -
or something like that :-).
< Let's say I want to output any line from the sulog that indicates that a
<user other than root, news or me attempted to su. The format of the sulog
<records is:
<
< SU 08/05 09:30 + tty02 msi-root
<
< the 6th field (msi-root) is the field I want to match to. The basic
<pattern to be matched would be any of [root, news, me] with an explicit "-"
<and then *ANY* string of chars after that. I have tried:
How's about:
sed -e '/mnr-/d' -e '/news-/d' -e '/me-/d' /usr/adm/sulog
That will almost certainly work, but might delete some lines it
shouldn't if the patterns match one of the first five fields. If
you're really paranoid about wanting the sixth field, change the
patterns to look like:
'/.* .* .* .* .* mnr-/d'
Of course, keeping the list of patters in a file is probably a win.
Better yet, try a shell script like so:
#!/bin/sh
sed 's;.*;/.* .* .* .* .* &-;d' < /etc/supeople |
sed -f /dev/stdin /usr/adm/sulog
You may have to do something ugly if you don't have /dev/stdin or similar.
<mike
--
Must have walked those streets for hours, Mike Meyer
In the dark and in the cold, mwm@berkeley.edu
Before I really could accept, ucbvax!mwm
There's no place called hope road. mwm@ucbjade.BITNETavolio@decuac.dec.com (Frederick M. Avolio) (08/07/87)
In article <1092@gilsys.UUCP> mc68020@gilsys.UUCP (Thomas J Keller) writes: > I am attempting to write a small awk script which will scan my sulog file >for attempts to su by any but a small list of user names. ... > SU 08/05 09:30 + tty02 msi-root > the 6th field (msi-root) is the field I want to match to. The basic >pattern to be matched would be any of [root, news, me] with an explicit "-" >and then *ANY* string of chars after that. ... This seems to work. This will find entries which have any of {root,me,news} followed by a dash followed by any number of characters. $6 !~ /((root)|(me)|(news))-.*/ { print $0 } With this as my data file: SU 08/05 09:30 + tty02 me-root SU 08/05 09:30 + tty02 root-root SU 08/05 09:30 + tty02 msi-root SU 08/05 09:30 + tty02 news-root SU 08/05 09:30 + tty02 msi-root My results: % awk '$6 !~ /((root)|(me)|(news)).*-.*/ { print $0 } ' jnk SU 08/05 09:30 + tty02 msi-root SU 08/05 09:30 + tty02 msi-root Good awking! Fred (bailing outnear line 1)
todd@uhccux.UUCP (The Perplexed Wiz) (08/07/87)
In article <1092@gilsys.UUCP> mc68020@gilsys.UUCP (Thomas J Keller) writes: > > I am attempting to write a small awk script which will scan my sulog file >for attempts to su by any but a small list of user names. I can't seem to get >the thing to work. Have you tried egrep -v 'name1|name2|name3' sulog That seems to be the simplest way to solve your problem. ..todd -- Todd Ogasawara, U. of Hawaii Center for Teaching Excellence UUCP: {ihnp4,seismo,ucbvax,dcdwest}!sdcsvax!nosc!uhccux!todd ARPA: uhccux!todd@nosc.MIL INTERNET: todd@uhccux.UHCC.HAWAII.EDU
chapman@eris.BERKELEY.EDU (Brent Chapman) (08/08/87)
If your list is small, perhaps attacking the problem from the other direction
would work. For instance, if you were looking for entries other than "root"
and "me", any of the following scripts will work. You might want to determine
empirically which is best (fastest, whatever).
Script #1:
$6 ~ /^root/ { next }
$6 ~ /^me/ { next }
{ print $0 }
-----
Script #2
$6 ~ /^root|^me/ { next }
{ print $0 }
-----
Script #3
$6 !~ /^root|^me/ # No, there is no action here; default is to print
# Yes, that's the whole script.
-----
Hopefully helpfully,
-Brent
--
Brent Chapman Senior Programmer/Analyst
chapman@mica.berkeley.edu Capital Market Technology, Inc.
ucbvax!mica!chapman 1995 University Ave., Suite 390
Phone: 415/540-6400 Berkeley, CA 94704brianc@cognos.uucp (Brian Campbell) (08/13/87)
In article <1092@gilsys.UUCP> mc68020@gilsys.UUCP (Thomas J Keller) writes:
!
! Let's say I want to output any line from the sulog that indicates that a
! user other than root, news or me attempted to su. The format of the sulog
! records is:
!
! SU 08/05 09:30 + tty02 msi-root
!
! the 6th field (msi-root) is the field I want to match to. The basic
! pattern to be matched would be any of [root, news, me] with an explicit "-"
! and then *ANY* string of chars after that. I have tried:
!
! [ awk script expunged ]
Unless there is more to your awk script than simply writing out the
offending lines, what's wrong with:
`egrep -v "root|news|mel" /usr/adm/sulog`
--
Brian Campbell uucp: decvax!utzoo!dciem!nrcaer!cognos!brianc
Cognos Incorporated mail: 3755 Riverside Drive, Ottawa, Ontario, K1G 3N3
(613) 738-1440 fido: sysop@163/8