0

Say you have logs like these

Thu 2014-10-09 23:55:12: 01: Session 525229; child 0101
Thu 2014-10-09 23:55:12: 05: Accepting IMAP connection from [172.1.2.3:52337] to [1.2.3.4:143]
Thu 2014-10-09 23:55:12: 03: --> * OK bla.com IMAP4rev1 Mailserver 14.0.3 ready
Thu 2014-10-09 23:55:12: 02: <-- 1 capability
Thu 2014-10-09 23:55:12: 03: --> * CAPABILITY IMAP4rev1 NAMESPACE AUTH=LOGIN AUTH=PLAIN IDLE COMPRESS=DEFLATE ACL UNSELECT UIDPLUS QUOTA BINA
RY XLIST
Thu 2014-10-09 23:55:12: 03: --> 1 OK CAPABILITY completed
Thu 2014-10-09 23:55:12: 02: <-- 2 authenticate plain
Thu 2014-10-09 23:55:12: 03: --> +
Thu 2014-10-09 23:55:12: 02: <-- ******
Thu 2014-10-09 23:55:12: 01: Authenticated as bla@blubb.com

I want to do some user accounting.

Now the information (Session number, IP address, username, ...) is spread over multiple lines, as you see above.

How would you "convert" data like this into a IP/user-pair list?

You can do stuff like grep -e ": Session" -e ": Accepting" -e ": Authenticated" logfile

which would give you

Thu 2014-10-09 23:55:12: 01: Session 525229; child 0101
Thu 2014-10-09 23:55:12: 05: Accepting IMAP connection from [172.1.2.3:52337] to [1.2.3.4:143]
Thu 2014-10-09 23:55:12: 01: Authenticated as bla@blubb.com
Thu 2014-10-09 23:55:13: 01: Session 525230; child 0101
Thu 2014-10-09 23:55:13: 05: Accepting IMAP connection from [172.1.2.4:52537] to [1.2.3.4:143]
Thu 2014-10-09 23:55:13: 01: Authenticated as bla@blubx.com
...

How would you separate these items?

All of this somehow comes very unnaturally.

Marki
  • 2,854
  • 3
  • 28
  • 45
  • I would use Logstash/Kibana/Elasticsearch and have it collate and aggregate my logs into a database. – Sobrique Oct 13 '14 at 16:30

1 Answers1

0

Use LogStash, which has native support for multiline entries.

thanasisk
  • 941
  • 6
  • 16