// Storing information in AWK
RuleNum             - { rule = substr($0, match($0, /rule=[0-9]+/)+5, RLENGTH-5) };
Origin                    - { orig = substr($0, match($0, /orig=[0-9.]+/)+5, RLENGTH-5) };
Protocol               - { proto = substr($0, match($0, /proto=[0-9a-zA-Z]+/)+6, RLENGTH-6) };
DstPort                 - { port = substr($0, match($0, /service=[0-9]+/)+8, RLENGTH-8) };
SrcIP                      - { srcip = substr($0, match($0, /src=[0-9.]+/)+4, RLENGTH-4) };
DstIP                     - { dstip = substr($0, match($0, /dst=[0-9.]+/)+4, RLENGTH-4) };
xSrc                  - { xsrc = substr($0, match($0, /xlatesrc=[0-9.]+/)+9, RLENGTH-9) };
NatRule                - { natrule = substr($0, match($0, /NAT_rulenum=[0-9]+/)+12, RLENGTH-12) };

// Example - The following will count the protocols and ports hitting a specific rule (note: lea log format may have changed since writing this so should not be relied on completely)
grep 'orig=<ip> ' <log-filename> | grep 'rule=<rule#> ' | awk '{ proto = substr($0, match($0, /proto=[0-9a-zA-Z]+/)+6, RLENGTH-6) }; { port = substr($0, match($0, /service=[0-9]+/)+8, RLENGTH-8) }; {print proto " " port};'  | sort | uniq -c | sort -nr | awk 'BEGIN {print "\nHits\tProto\tPort";}{print $1"\t"$2"\t"$3}'

Notes:

  • The LEA logs order and field locations may have changed since this was created. May need modifications before working.
  • Useful for parsing the logs from LEA and looking for specific rules

Next Post Previous Post