Home / server / Questions / 682805
Accepted
Amit Dunsky
Asked: 2015-04-16 01:25:39 +0800 CST

How to extract IP addresses from log?

  • 772

I'd like to gather information from UFW service, for further analysis.

A typical UFW log entry looks like the following:

[UFW BLOCK] IN=eth0 OUT= MAC=99:99:99:99:99:99:99:XX:XX:XX:XX:99:99:99 SRC=99.999.999.999 DST=999.99.99.9 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=54321 PROTO=TCP SPT=56338 DPT=5800 WINDOW=65535 RES=0x00 SYN URGP=0

How can I extract SRC and DST ip addresses from the log?

Thank you!

ubuntu-14.04

1 Answers

  1. Best Answer

    The following should be sufficient. Note that I have used Extended Regular Expressions, which makes things a little more readable. To really understand this, you need to learn about regular expressions, and also sed.

    sed -rn -e 's,.* SRC=([0-9.]+) DST=([0-9.]+) .*,\1 \2,p'

    You can also do this with grep. Again, I'll use Extended Regular Expressions, which are meant to be the 'preferred' type over the older 'basic' regular expressions. Here I'm using -o to have grep only print out the part that matches.

    grep -Eo 'SRC=[0-9.]+ DST=[0-9.]+'

    You could improve on that to require a word-boundary before the SRC; I think you can put a \b before the SRC to accomplish that, but it generally won't be necessary.

    Cheers, Cameron

    • 2