Question : Security logs & shell scripts

I have a log that contains information like about all the TCP connections coming into and out of my network and was wondering if you could help me in figuring a way to write a shell script that would allow me to filter the log file.  For example I may want to search for a particular source IP address, destination IP address, source port, or destination port.  Unfortunetly I have litle to no experiance writing shell scripts.  Also if you could direct me to some good books to read on learning how to create them I would be very thankful.
Here is a small example of what the log file looks like:

Sep 23 10:30:00 1998  f_wwwproxy a_server t_nettraffic p_major
pid: 311 ruid: 0 euid: 0 pgid: 311 fid: 2000001 cmd: 'httpp'
domain: htpp edomain: htpp srcip: xxx.xxx.xxx.xxx srcport: 1135 dstip: xxx.xxx.xxx.xxx

dstport: 80 protocol: 6 service_name: /usr/libexec/httpp
netsessid: 360905e8000af89a

Sep 23 10:30:00 1998  f_wwwproxy a_server t_nettraffic p_major
pid: 311 ruid: 0 euid: 0 pgid: 311 fid: 2000001 cmd: 'httpp'
domain: htpp edomain: htpp srcip: xxx.xxx.xxx.xxx srcport: 1136 dstip: xxx.xxx.xxx.xxx

dstport: 80 protocol: 6 service_name: /usr/libexec/httpp
netsessid: 360905e8000b2485

Sep 23 10:30:00 1998  f_wwwproxy a_server t_nettraffic p_major
pid: 311 ruid: 0 euid: 0 pgid: 311 fid: 2000001 cmd: 'httpp'
domain: htpp edomain: htpp srcip: xxx.xxx.xxx.xxx srcport: 1339 dstip: xxx.xxx.xxx.xxx
                                                                               
Thanks!!!

Answer : Security logs & shell scripts

Hi
Based on the sample from your log file and assuming that the content of the log is consistently similar, try the following script.

#!/bin/sh

if [ $# -lt 2 ];then
      echo "[$0]: 2 arguments must be supplied"
      echo "      $0 srcip: xxx.xxx.xxx.xxx"
      echo "      $0 dstip: xxx.xxx.xxx.xxx"
      echo "      $0 srcport: xxxx"
      echo "      $0 dstport: xxxx"
      exit
fi

log=/export/home/steven/logfile

matches=`grep -n "$1 $2" $log | awk -F: '{print $1}'`

echo "Source IP     Destination IP  Source Port     Destination Port        Date"

for i in $matches
do
      if [ $1 = "dstport:" ];then
            line1=`expr $i - 4`
            line2=`expr $i - 2`
            line3=$i
      else
            line1=`expr $i - 2`
            line2=$i
            line3=`expr $i + 2`
      fi
      a=`sed -n ''${line2}'p' $log | awk '{print $6}'`
      b=`sed -n ''${line2}'p' $log | awk '{print $NF}'`
      c=`sed -n ''${line2}'p' $log | awk '{print $8}'`
      d=`sed -n ''${line3}'p' $log | awk '{print $2}'`
      e=`sed -n ''${line1}'p' $log | awk '{print $1,$2,$3,$4}'`

      echo "$a      $b      $c      $d      $e"
done
Random Solutions  
 
programming4us programming4us