Tuesday, March 25, 2014

Twenty years in this field and never knew awk was so great...

I needed to find lines that look like this:

Mar 25 06:38:58 192.268.29.141 syslog_smtp: Info: New SMTP ICID 447042464 interface public (192.268.29.141) address 157.56.110.254 reverse dns host mail-bn1un0254.outbound.protection.outlook.com verified yes
Mar 25 06:38:58 192.268.29.141 syslog_smtp: Info: ICID 447042464 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.5
Basically I need to match anything that belongs to outbound.protection.outlook.com and grab the ICID number.   Then continue to look though the log file to find another match of the ICID and BLACKLIST.   If these are found then print both lines.


You can accomplish this by this awk script:


/outbound.protection.outlook.com/ {
  icid = $10
  lastline = $0
}
($8 ~ icid && $11 ~ /BLACKLIST/ ) {
  printf "First line: %s\n",  lastline
  printf "Next line: %s\n", $0
  print ""
}

Running it yields:

jemurray@syslog:~$ cat /var/log/ironport.log.1 | awk -f ./blacklist.awk

First line: Mar 24 06:42:29 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446816558 interface public (192.168.29.141) address 207.46.100.250 reverse dns host mail-by2hn0250.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:42:29 192.168.29.141 syslog_smtp: Info: ICID 446816558 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:42:29 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462989143 interface public (192.168.29.10) address 207.46.100.250 reverse dns host mail-by2hn0250.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:42:29 192.168.29.10 syslog_smtp: Info: ICID 462989143 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:47:30 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446817160 interface public (192.168.29.141) address 207.46.100.246 reverse dns host mail-by2hn0246.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:47:30 192.168.29.141 syslog_smtp: Info: ICID 446817160 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.7
First line: Mar 24 06:47:31 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462989826 interface public (192.168.29.10) address 207.46.100.247 reverse dns host mail-by2hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:47:31 192.168.29.10 syslog_smtp: Info: ICID 462989826 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -6.5
First line: Mar 24 06:52:10 192.168.29.141 syslog_smtp: Info: New SMTP ICID 446817705 interface public (192.168.29.141) address 157.56.112.247 reverse dns host mail-am1hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:52:10 192.168.29.141 syslog_smtp: Info: ICID 446817705 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -8.1
First line: Mar 24 06:52:10 192.168.29.10 syslog_smtp: Info: New SMTP ICID 462990429 interface public (192.168.29.10) address 157.56.112.247 reverse dns host mail-am1hn0247.outbound.protection.outlook.com verified yes
Next line: Mar 24 06:52:10 192.168.29.10 syslog_smtp: Info: ICID 462990429 REJECT SG BLACKLIST match sbrs[-10.0:-3.0] SBRS -8.1 


In the past I have always used a higher level language like Perl or Python to accomplish this.

No comments:

Post a Comment

Followers