I would like to parse mail log files, which originally look like this:
2018-10-23 23:27:51,026 INFO [ImapServer-4] [ip=10.10.11.50;oip=168.232.24.2;via=10.10.11.50(nginx/1.7.1);ua=Zimbra/8.8.7_GA_1964;cid=127325;] imap - authentication failed for [[email protected]] (invalid password)
for keywords, either: "invalid password" or "authentication failed"
Goal is to sort them by either "OIP" (original IP) or by user MAIL accoount, to see in first case the attacking IP, and in second case, which user account is under attack.
Those should be 2 command lines (will incorporate them into my bash script for easier administration of mail servers).
What I came to is this:
cat /opt/zimbra/log/mailbox.log | grep "invalid password" | awk -F " " '{print $1 $2 $5 $11 }'
...but I am stuck there. I do not know how to double-parse attacker IP from "oid=" and make some "uniq" and "sort" against results. I am trying to get results like this:
Case 1 - display attacking IPs, sorted by number of invalid logins:
37 1.2.3.4
16 3.4.5.6
8 6.7.8.9
Case 2 - display attacked MAIL accounts, sorted by number of invalid logins:
128 [email protected]
37 [email protected]
6 [email protected]
I will then run manually my (above) one-liner to analyze deeper, but for overview can you help me with AWK or cut or sed commands, please?
Using space or semicolon as the field separator, you can do
Or perl
Use either one of those, then
sort | uniq -cthe output