0

I need to be able to search through a log and grab IP addresses that were logged. An example log line would look like:

[2012-06-05 11:59:52] NOTICE[14369] chan_sip.c: Registration from '' failed for 'yy.yy.yy.yyy' - No matching peer found

I need to grab the IP address listed in the yy.yy.yy.yyy position. With other log files, the yy.yy.yy.yyy would be in a different position.

I was thinking to read each line, split on ' ' and then loop through the split temporary array for: 'yy.yy.yy.yyy'. I just don't know how to pattern match or regex for 'yy.yy.yy.yyy' with the single quotes included. How can I do this?

Chris
  • 44,602
  • 16
  • 137
  • 156
eherr9633
  • 47
  • 9

2 Answers2

1

This regex will match your ip address contained in '

'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'

To iterate over all the matches in perl do:

while ($subject =~ m/'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})'/g) {
    # matched text = $&
}

Group 1 of the match will only contain the IP so without the '

buckley
  • 13,690
  • 3
  • 53
  • 61
0
while (<>) {
    my ($ip) = $line =~ /for '((?:[0-9]+\.){3}[0-9]+)'/
       or next;

    ... do something with $ip ...
}
ikegami
  • 367,544
  • 15
  • 269
  • 518
  • I used this one and it pulled all my IPs that I needed. Thanks – eherr9633 Jun 05 '12 at 19:18
  • However, with a normal Log entry like --- 2012-05-12 08:10:20,481 fail2ban.actions: WARNING [ssh-iptables] Ban yyy.yyy.yy.yyy -- i cannot get the Ban IP with ((?:[0-9]+\.){3}[0-9]+) – eherr9633 Jun 05 '12 at 21:18
  • huh, yes you can (if those "y"s are digits) – ikegami Jun 05 '12 at 22:19
  • @ikegami Oh, didn't see that part, my mistake. – TLP Jun 06 '12 at 03:13
  • @ikegami a line like `[Sat Jun 16 21:32:55 2012] [error] [client 208.179.17.39] File does not exist: /var/www/html/` will not be parsed with the above for loop. i tried with the following `opendir( DIR, "/var/log/httpd" ) or die $!; while( my $file = readdir( DIR ) ) { next unless( -f "/var/log/httpd/$file" ); if( $file =~ /error\_log/ ) { open( LOG, "/var/log/httpd/$file" ); while( ) { if( $_ =~ /File/ ) { my ( $ip ) = $_ =~ /for ((?:[0-9]+\.){3}[0-9]+)/ or next; print "IP ==> $ip\n"; } } close( LOG ); } } ` – eherr9633 Jul 03 '12 at 20:40
  • Correct, it won't. It's not even close to what you said should be matched. – ikegami Jul 03 '12 at 23:13
  • @ikegami right, it worked for what you said it was going to work for. i was trying to extrapolate and use it elsewhere but apparently I failed. I used buckely's for what i needed in this one. I cant even find information on the syntax you used – eherr9633 Jul 05 '12 at 12:06
  • @user1438087, well, you removed the quote, but you left `for` in. `for` isn't in the string you're string to match. – ikegami Jul 05 '12 at 15:36
  • @ikegami hahha i completely over looked it. I was trying TOO hard to understand it and I have no clue why the `for` is in there. so `my ( $ip ) = $_ =~ /client ((?:[0-9]+\.){3}[0-9]+)/ or next;` works. thanks again. – eherr9633 Jul 05 '12 at 17:50