awk 'BEGIN { FS="[/()\" ]" } {print $1 " " $2 " " $3 }' data.txt
awk -v q="'" '{print "value is" q $2 q}' inputfile
or
awk '{print "value is \x27" $2 "\x27"}' inputfile
or
awk '{ print "value is","'\''" $2 "'\''" }' input.txt
http://bashshell.net/utilities/using-variables-with-awk
grep -i brown /var/log/maillog |awk -F'[<>]' '/whitelisted/ {print $4}' |sort |uniq -c
tail -100 /var/log/httpd/access_log |awk -F '[ "]' '$11~/20[06]/ {print $8,$11,$12}'
tail -100 /var/log/httpd/access_log |awk -F '[ "]' '$11~/20[06]/ {sum +=$12;print $8,$11,$12} END {print sum/1024/1024 "MB"}'
http://www.unix.com/shell-programming-scripting/65529-using-uniq-awk.html
cat /var/log/httpd/access_log |awk -F '[ "]' '$11~/200/ {hits[$8]++} END {for (i in hits) print hits[i], i}' |sort -n
watch 'grep DROPPED /var/log/messages |grep -v 0.0.0.0|grep -v SRC=128.173|grep UDP|grep -v DPT=137|grep -v DPT=67|grep -v DPT=17500|tail'
pick a udp port being hit. e.g., 56846 Place a sniffer on the port:
tcpdump -i eth1 -vnn -s0 -X port 56846 -w port56846 tcpdump -nn -v -s0 -X -r port56846 |less
collect the addresses from the logs:
awk -F '[ =]' '/56846/ {print $14}' /var/log/messages >>athena-udp-src
awk 'BEGIN { FS="[ =]" } /DPT=17500/ && /^Jun 21/ {print $14}' /var/log/messages |sort -n |uniq |while read line; do echo -n $line " "; host $line ;done
Be sure to change the date from Jun 21 to your desired date
awk -F ":" '/FIREWALL/ && /DPT=67/ && /SRC=0.0.0.0/ {print $10":"$11":"$12":"$13":"$14":"$15}' /var/log/messages |sort|uniq -c|sort -n
lvdisplay |awk '/LV Name/ || /LV Size/ || /VG Name/ || /Block device/ {print $0}'
on one line:
lvdisplay |awk '/LV Name/ {NAME=$3} /LV Size/ {SIZE[NAME]=$3 ; } END {for (x in SIZE) print x,SIZE[x]}'
Add on the mountpoint found in /etc/fstab
lvdisplay | cat - /etc/fstab |awk '/LV Name/ {NAME=$3} /VG Name/ {VG[NAME]=$3 } /LV Size/ {SIZE[NAME]=$3$4} /Block device/ {DEV[NAME]=$3} /ext3/ {for (i in SIZE) {if (i == $1) {MOUNT[i]=$2}}} END {for (x in SIZE) print VG[x],SIZE[x],DEV[x],x,MOUNT[x]}' |sort
format for the wiki (for non-mapper version of /etc/fstab names and ext3)
lvdisplay | cat - /etc/fstab |awk '/LV Name/ {NAME=$3} /VG Name/ {VG[NAME]=$3 } /LV Size/ {SIZE[NAME]=$3$4} /Block device/ {DEV[NAME]=$3} /ext3/ {for (i in SIZE) {if (i == $1) {MOUNT[i]=$2}}} END {for (x in SIZE) print "| | |"VG[x]"| |"SIZE[x]"|"DEV[x]"|"x"|"MOUNT[x]"|"}' |sort
[root@alexandria ~]# cat linkPartitions.awk
BEGIN{
FS = "/"
}
{
print "ln -s /home/"$6"/"substr($4,0,length($4)-1)"/ /home/"$3"/"substr($4,0,length($4)-1)
}
awk '/^128/ {FS="[. ]"; if ($5!=$9) print $5,$9}' /etc/hosts
Run this from a machine using sssd with ldap (like montgolfier) instead of nis because nis does not give the full name.
getent passwd `getent group |grep grad-lab7-clipper: | cut -d : -f 4| tr , " "|sort -n` |awk 'BEGIN { FS = ":" } ; { print $1,$5 }' |sort -n
http://www.theunixschool.com/2012/05/awk-join-or-merge-lines-on-finding.html
partial solution:
ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b 'dc=aoe,dc=vt,dc=edu' "(objectclass=Computer)" name operatingSystem operatingSystemVersion operatingSystemServicePack |awk '/name:/ || /operating/ {print $0}'|awk '/name:/ {if (x)print x;x="";}{x=(!x)?$2:x","$2;}END{print x;}'
ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b 'dc=aoe,dc=vt,dc=edu' "(objectclass=Computer)" name operatingSystem operatingSystemVersion operatingSystemServicePack |grep name: |awk '{print $2}' |while read line; do echo -n $line " "; host $line ;done |grep "has address"|sort -n|awk '{print $5,$1}'
complete solution:
ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b 'dc=aoe,dc=vt,dc=edu' "(objectclass=Computer)" name operatingSystem operatingSystemVersion operatingSystemServicePack |awk '/name:/ || /operating/ {print $0}'|awk '/^name/ {FS=":";if (x)print x;x="";}{x=(!x)?$2:x","$2;}END{print x;}' |while read line; do host `echo -n $line|awk 'BEGIN { FS=","}{print $1;}'`|awk ' {if ($3 == "not") printf "%s,","none"; else printf "%s,",$4}';echo $line ;done
Complete solution with lastLogonTimestamp
ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b 'dc=aoe,dc=vt,dc=edu' "(objectclass=Computer)" name operatingSystem operatingSystemVersion operatingSystemServicePack lastLogonTimestamp |awk '/name:/ || /operating/ || /Logon/ {print $0}'|awk '/^name/ {FS=":";if (x)print x;x="";}{x=(!x)?$2:x","$2;}END{print x;}' |sort -n|while read line; do host -t A `echo -n $line|awk 'BEGIN { FS=","}{print $1;}'`|while read line2 ; do echo -n $line2 |awk ' {if ($3 == "not") printf "%s,","none"; else printf "%s,",$4}';echo $line ;done ;done > dns_computers.txt
To convert the timestamp in excel:
F2=lastLogonTimestamp
http://myserverstuff.blogspot.com/2009/03/csvde-to-excel-human-readable-lastlogon.html
=IF(F2>0,F2/(8.64*10^11) - 109205,"")
To convert the timestamp in Linux (gives UTC):
http://meinit.nl/convert-active-directory-lastlogon-time-to-unix-readable-time
lastLogonTimestamp=130002228839738710 date -d "1970-01-01 `echo $(((130002228839738710/10000000)-11644473600))` sec GMT"
Windows tips:
ls -1 |while read line; do echo -n $(host -t A $line | cut -d " " -f 4 ) ; echo -n ",";echo -n $line"," ; echo -n $(ssh -o ConnectTimeout=2 $line 'cat /etc/redhat-release' < /dev/null);echo -n ","$(ssh -o ConnectTimeout=2 $line 'uname -r' < /dev/null) ;echo ;done 2> /dev/null > ~/sandbox/dns_computers_linux.txt
echo " $( ssh licenseserver2 'cat /opt/tecplot/rlm/teclmd.log' ) " | awk '/OUT/ {print $8}' | awk -F "@" '{print $1}'| sort | uniq | while read line; do echo -n $line " "; getent passwd | grep $line ;done | awk 'BEGIN { FS=":" } { print $5 }'
cat License43b-Combined.dat.stripped | perl -p -e 's/\\\r\n//' | grep -v FEATURE | grep -v ^# | grep -v ^SERVER | grep -v ^USE | grep -v VENDOR | awk '{ sub("\r$", ""); print }' | grep -v ^$ | tr -d '\011' | awk '{print $2,$4,$6,$8,$9,$11}' | column -t | sort > licensesort
cd /home/grad find /home/grad[1-5] -maxdepth 1 -mindepth 1 -type d ! -user root -printf "%p " -printf "%f\n" | xargs -L1 ln -s cd /home/facultystaff find /home/facultystaff[1-4] -maxdepth 1 -mindepth 1 -type d ! -user root -printf "%p " -printf "%f\n" | xargs -L1 ln -s
repquota /home/facultystaff1 | grep ^# | awk '{qsum+=$5} END {print qsum}' | { read test; echo $(( $test / 1024 /1024 )); }
usernames tried from CCDFS1
awk -F ': ' '/CCDFS1/ {print $10}' ossec-archive-01.log
usernames tried from CCDFS1 with FAILURE in entry
awk -F ': ' '/CCDFS1/ && /FAILURE/ {print $10}' ossec-archive-01.log
unique usernames with count tried from CCDFS1 with FAILURE in entry
awk -F ': ' '/CCDFS1/ && /FAILURE/ {print $10}' ossec-archive-01.log | sort | uniq -c | sort -n
…more specific
awk -F ': ' '/CCDFS1/ && /AUDIT_FAILURE\(4776\)/ {print $12}' ossec-archive-01.log | sort | uniq -c
…now only if error code equals C00006a
awk -F ': ' '/CCDFS1/ && /AUDIT_FAILURE\(4776\)/ && $12 == "0xc000006a" {print $10}' ossec-archive-01.log | sort | uniq -c
failures not from CCDFS1
awk -F ': ' '! /CCDFS1/ && /AUDIT_FAILURE\(4776\)/ {print $0}' ossec-archive-01.log
logons (4776) non domain or non Kerberos
awk -F ': ' '! /CCDFS1/ && /\(4776\)/ {print $3,$7,$10,$11,$12}' ossec-archive-01.log | sort | uniq -c | sort -n
Failed Kerberos
awk -F ': ' '/\(4771\)/ {print $7,$10,$11,$12,$13,$14,$15}' /var/ossec/logs/archives/2013/Dec/ossec-archive-02.log | sort | uniq -c | sort
Remote Logins
awk -F ': ' '/\(4624\)/ && $14 == " 10 New Logon" {print $5}' /var/ossec/logs/archives/2013/Dec/ossec-archive-03.log | sort | uniq -c
awk -F ': ' '/\(4624\)/ && $14 == " 10 New Logon" {print $5,$7}' /var/ossec/logs/archives/2013/Dec/ossec-archive-04.log | sort | uniq -c | sort -n
awk -F ': ' '/\(4624\)/ && $14 == " 10 New Logon" {print $1,$5,$7}' /var/ossec/logs/archives/2013/Dec/ossec-archive-04.log
local logins
awk -F ': ' '/\(4624\)/ && $14 == " 2 New Logon" {print $1,$5,$7}' /var/ossec/logs/archives/2013/Dec/ossec-archive-06.log
zcat /var/ossec/logs/archives/2013/Dec/ossec-archive-05.log.gz | awk -F ': ' '/\(4624\)/ && $14 == " 2 New Logon" {print $1,$5,$7}'
Login types
awk -F ': ' '/\(4624\)/ {print $14}' /var/ossec/logs/archives/2013/Dec/ossec-archive-03.log | sort | uniq -c
Login types:
Logon Type Description 2 Interactive (logon at keyboard and screen of system) 3 Network (i.e. connection to shared folder on this computer from elsewhere on network) 4 Batch (i.e. scheduled task) 5 Service (Service startup) 7 Unlock (i.e. unnattended workstation with password protected screen saver) 8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. 9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. 10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) 11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
ipSec probes:
zcat *.log.gz | awk -F ': ' '/AUDIT_FAILURE\(4963\)/ {print $9}' | cut -d " " -f 1 | sort -n | uniq -c
or
cat ossec-archive-12.log | awk -F ': ' '/AUDIT_FAILURE\(4963\)/ {print $9}' | cut -d " " -f 1 | sort -n | uniq | xargs -L1 host
Return dropped addresses in courier's iptables config file
grep DROP /etc/sysconfig/iptables | grep -v LOG | awk -F'-s | -j' ' /-s/ {print $0}'
awk will “grep” for lines with -s to avoid the “-j DROP” line at the end of the config file.
ls -1 | while read line; do echo ; echo -n $line " "; df -Ph $line ;done
zgrep -i "AUDIT_SUCCESS(4672)" ossec-archive-24.log.gz | grep -v "Logon ID:[[:space:]]*0x0"| awk -F ": " '{print $13}' | awk '{print $1}' | sort -n | uniq -c | grep bad
repquota /export/facultystaff[1-4] | grep -v ^\- | grep -v ^User | grep -v ^root | grep -v ^Block | grep -v ^\* | grep -v ^" " | grep -v ^$ | awk '{if( $5 + 0 != 0) print $3/1024/1024,$5/1024/1024,$1,$3/$5; if( $5 + 0 == 0) print $3/1024/1024,$5/1024/1024,$1,0}' | awk '{printf "%4.1f\t", $1;printf "%4.1f\t", $2;printf "%3.1f%\t", $4;printf "%s\n",$3; }' | sort -nr | awk '{print $4,"\t"$1,"\t"$2,"\t"$3 }'| column -t
repquota /export/facultystaff[1-4] | grep -v ^\- | grep -v ^User | grep -v ^root | grep -v ^Block | grep -v ^\* | grep -v ^" " | grep -v ^$ | awk '{if( $5 + 0 != 0) print $3/1024/1024,$5/1024/1024,$1,100*($3/$5); if( $5 + 0 == 0) print $3/1024/1024,$5/1024/1024,$1,0}' | awk '{printf "%4.1f\t", $1;printf "%4.1f\t", $2;printf "%3.1f%\t", $4;printf "%s\n",$3; }' | sort -nr | awk '{print $4"\t"$1"\t"$2"\t"$3 }'
<code>awk -F[/:] '!/^($|[[:space:]]*#)/ {print $NF":"$1}' /etc/projects >> /etc/projid</code>
This ignores comments and blank lines, separates the fields with either / or : and reorders the output
cat tivoli-errors | grep "Object increased in size during compression" | cut -d" " -f 9- | sed 's/[(][^)]*)//g' | awk -F"/" '{print $(NF-1)"-"$NF}' | grep -E "\." | awk -F. '{print $NF}' | sort | uniq
find . -type f -printf "%C@ %p\n" | sort -rn | head -n 10 | cut -d\ -f2- | awk '{print "\""$0"\""}'| xargs -L1 ls -Fla
ThobiasVakayil ThobiasVakayil
“-atime/-ctime/-mtime” the last time a files's “access time”, “file status” and “modification time”, measured in days or minutes. Time interval in options -ctime, -mtime and -atime is an integer with optional sign.
Examples:
find $HOME -mtime 0
find $HOME -mtime -7
find $HOME -mtime +365
find . -mtime -7 -name “*.html” -print
find . -mtime 7 -name “*.html” -print
find . -mtime +7 -name “*.html” -print
find . -newermt 2013-03-26 ! -newermt 2013-03-27