小贝子编程

如何使用squid日志让用户从两个不同的IP登录



我有一个squid日志,我必须找出从两个不同IP登录的用户(他们的密码可能会被泄露)

我从日志中提取了三个信息(用户、时间、ip),并存储在另一个文件中

1110104 1397367240.280 172.27.71.14
1110104 1397367242.439 172.27.71.14 
1110104 1397367245.805 172.27.71.14 
1110104 1397367246.120 172.27.71.14 
1110104 1397367249.770 172.27.71.14 
1110104 1397367255.125 172.27.71.14 
1110104 1397367255.503 172.27.71.13 
1110104 1397367257.255 172.27.71.13 
1110104 1397367257.596 172.27.71.13 
1110104 1397367257.956 172.27.71.14 
1110104 1397367258.353 172.27.71.14 
1110104 1397367258.698 172.27.71.14 
1110104 1397367259.079 172.27.71.14 
1110104 1397367260.879 172.27.71.14 
1110104 1397367260.880 172.27.71.14 
1110104 1397367261.250 172.27.71.14 
1110104 1397367261.254 172.27.71.14 
1110104 1397367264.594 172.27.71.13 
1110104 1397367264.620 172.27.71.13 
1110104 1397367264.948 172.27.71.14 
1110104 1397367264.960 172.27.71.14 
1110104 1397367265.331 172.27.71.14 
1110104 1397367265.340 172.27.71.14 
1110104 1397367265.710 172.27.71.14 
1110104 1397367266.072 172.27.71.14 
1110104 1397367266.157 172.27.71.14 
1110104 1397367266.420 172.27.71.14

现在,由于像这样的线路有数百万条,我的方法需要几个小时的

firstLine=`cat data.log | head -1`
user1=`echo $firstLine | cut -d " " -f1`
time1=`echo $firstLine | cut -d " " -f2 | cut -d "." -f1`
ip1=`echo $firstLine | cut -d " " -f3`
while read -r line; do
       user2=`echo $line | cut -d " " -f1`
       time2=`echo $line | cut -d " " -f2 | cut -d "." -f1`
       ip2=`echo $line | cut -d " " -f3`
       if [ "$user1" = "$user2" ] && [ "$ip1" != "$ip2" ] && [ $(($time2-$time1)) -lt 600]  # time diff is lass than 10 minutes
       then
            echo "user "$user1 
            echo "at "`date -d @$time1` " using "$ip1 " and after "$(($time2-$time1))" seconds using "$ip2
       elif [ "$user1" != "$user2" ]
       then
            a1=$a2
            b1=$b2
            c1=$c2
       fi
    done < data.log

处理后,我想要从不同ip登录的用户的信息例如

user 1110104 
at jan 18 12:33:12 (full date time).... using 172.27.71.14 and after 5 seconds using 172.27.71.13

这意味着有两个人使用来自两个不同ip的相同用户名和密码。

我希望这能使问题更加清楚。

您想要做的是

  1. 按用户ID和时间对行进行排序
  2. 迭代行,如果相邻行具有不同的IP,则考虑时间增量

未测试代码

sort -k1,2 datafile 
  | awk 'BEGIN { user="" ; ip="" ; time=0 }
         user=="" { user=$1 }
         ip=="" { ip=$3 }
         $1 != user { user=$1 ; next }
         $3 != ip && $2-time < 600 { print $0,"vs.",ip,"@",time }
         { time=$2 ; ip=$3 }'

不过,这可能需要一些修补。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium