Archive

Archive for March, 2014

Searching GZipped Log Files

March 18th, 2014 1 comment

I have a few handy scripts for searching through log files, especially monitoring SSH login attempts. I cannot just grep through log files however, because the log files get “rolled”: compressed, and archived.

rob@kanga:/var/log $ ls -lh system.log*
-rw-r-----@ 1 root  admin   289K Mar 18 17:16 system.log
-rw-r-----  1 root  admin    79K Mar 18 00:00 system.log.0.gz
-rw-r-----  1 root  admin    39K Mar 17 00:02 system.log.1.gz
-rw-r-----  1 root  admin    36K Mar 16 00:02 system.log.2.gz
-rw-r-----  1 root  admin    35K Mar 15 00:02 system.log.3.gz
-rw-r-----  1 root  admin    25K Mar 14 00:01 system.log.4.gz
-rw-r-----  1 root  admin    69K Mar 13 00:01 system.log.5.gz
-rw-r-----  1 root  admin    68K Mar 12 00:01 system.log.6.gz
rob@kanga:/var/log $

Suppose you want to grep through your log files for SSH login activity, you can do it like this:

rob@kanga:/var/log $ { cat /private/var/log/system.log ; gunzip -c /private/var/log/system.*.gz ; } | grep sshd | wc -l
   11364
rob@kanga:/var/log $

The magic happens in the curly braces, which concatenates the standard output of all enclosed commands. Be sure to include a semicolon after the last command, right before the closing curly brace.

An even shorter example:

rob@kanga:/var/log $ { echo hello ; echo world ; } | cat -n
     1	hello
     2	world
rob@kanga:/var/log $
Categories: Utility Tags: , , , , , ,