AWK Log Analysis

journalctl -u sshd --since "1 hour ago" | awk '/Failed password/ {print $(NF-3), $(NF-5)}'

journalctl -u sshd --since "1 hour ago" | awk '/Failed password/ {ip[$(NF-3)]++} END {for(i in ip) print ip[i], i}' | sort -rn

journalctl -u sshd --since today | awk '/Accepted/ {print $1, $2, $3, $9, $11}'

journalctl -u sssd --since "1 hour ago" | awk '/GSSAPI error|Server not found|authentication failure/ {print}'

journalctl -u sssd | awk -F’Minor = ' '/Minor =/ {print $2}' | sort | uniq -c | sort -rn

journalctl | awk '/pam_unix.*authentication failure/ {print $1, $2, $3, $NF}'

klist | awk '/krbtgt/ {print $3, $4, $5}'

klist | awk '/Expires/ {print $3, $4}' | while read d t; do [[ $(date -d "$d $t" +%s) -lt $(date +%s) ]] && echo "EXPIRED"; done

journalctl --since "1 hour ago" -p err | awk '{print $1, $2, $3, $5, $6}'

journalctl --since today -p err | awk '{unit[$5]++} END {for(u in unit) print unit[u], u}' | sort -rn | head -10

journalctl -b | awk '/Failed to start/ {$1=$2=$3=$4=""; print}' | sort | uniq

journalctl -b | awk '/Started/ {gsub(/Started /,""); $1=$2=$3=$4=""; print}' | head -20

awk '{print $1, $2, $3, $5}' /var/log/messages | tail -20

awk -F'[][]' '{print $1}' /var/log/messages | awk '{print $5}' | sort | uniq -c | sort -rn

dmesg -l err,warn | awk -F']' '{print $2}' | head -20

dmesg | awk '/usb/ {print}' | tail -10

dmesg | awk '/error|fail|I\/O/ && /sd[a-z]/ {print}'

journalctl --since "2024-01-01 10:00" --until "2024-01-01 11:00" | awk '{print}'

awk '$3>="10:00:00" && $3⇐"11:00:00"' /var/log/messages

journalctl --since "10 minutes ago" | awk '{min=$1" "$2" "substr($3,1,5); count[min]++} END {for(m in count) print m, count[m]}' | sort

journalctl --since "10 minutes ago" | awk '{min=substr($3,1,5); count[min]++} END {for(m in count) if(count[m]>100) print "ALERT:", m, count[m]}'