0

I've been struggling with this issue for quite some time, I'm a beginner in using tools like grep/sed/awk/cut, as well as a beginner in regular expressions. I need to parse out a Cisco ASA Firewall log so that "columns" that contain an IP address are trimmed where only the IP address is left in its place. Please see the following example.

This:

Built inbound ICMP connection for faddr [hostname_here]-[ip address]/[port] gaddr [ip address]/[port] laddr [ip address]/[port]

Needs to be parsed out to this:

Built inbound ICMP connection for faddr [ip address] gaddr [ip address] laddr [ip address]

Honestly I don't think it's worth it to post what I've done so far because I'm sure I'm approaching this the wrong way.

I really appreciate your help.

mclayton
  • 59
  • 4

2 Answers2

1

With GNU sed:

sed -rn  's/([fgl]addr )([^ -]*[ -])?(([0-9]{1,3}\.){3}[0-9]{1,3})\/[0-9]*/\1\3/gp' file

With file containing:

Built inbound ICMP connection for faddr google.com-129.244.54.55/63 gaddr 9.9.123.33/25 laddr 111.87.75.0/8444

Output:

Built inbound ICMP connection for faddr 129.244.54.55 gaddr 9.9.123.33 laddr 111.87.75.0
SLePort
  • 15,211
  • 3
  • 34
  • 44
0

Try:

egrep -o "(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])" firewall.log

Source: Regular expression to match DNS hostname or IP Address?

To add some custom text for each of the addresses, add to above:

| while read ip; do echo "Built inbound ICMP connection for faddr $ip gaddr $ip laddr $ip"; done
Community
  • 1
  • 1
kenorb
  • 155,785
  • 88
  • 678
  • 743