0

I'm trying to write a little shell script to run once a hour and return all the users and IP's that have sent emails in the past hour so I can look for any compromised accounts.

I'm getting the data I want via:

grep "A=dovecot_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c

But I want to limit those results to just the previous hour (so if I run it at 10am, then the results would be those logins from 9am to 10am).

Any idea how to limit that? I thought I was getting close with

hour=`date | awk {'print $4'} | cut -d: -f 1`; lasthour=`expr $hour - 1`; grep "`date -I` $lasthour" /var/log/exim_mainlog | grep "A=dovecot_login" | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c

But got not love there.

TIA

Analog
  • 261
  • 5
  • 16

1 Answers1

1

Don't re-invent the wheel, use the tools that others have already written and tested in production: Grab the logtail2 perl script from the logcheck package. Then just have a cronjob every hour that processes the log file you are tailing. The logtail2 script keeps track of where it stopped last time it was run, so you know if you run it hourly that you will only get the last hour's worth of log lines. Then use your normal text parsing to extract the data that you want to track.

The tarball can be found on http://packages.debian.org/unstable/logtail.

Todd Lyons
  • 998
  • 12
  • 19