0

I have a squid log, and I have to find out the users who are logged in from two different IPs ( their password may be compromised )

I have extracted three info (user, time, ip) from the log and stored in another file 

1110104 1397367240.280 172.27.71.14
1110104 1397367242.439 172.27.71.14 
1110104 1397367245.805 172.27.71.14 
1110104 1397367246.120 172.27.71.14 
1110104 1397367249.770 172.27.71.14 
1110104 1397367255.125 172.27.71.14 
1110104 1397367255.503 172.27.71.13 
1110104 1397367257.255 172.27.71.13 
1110104 1397367257.596 172.27.71.13 
1110104 1397367257.956 172.27.71.14 
1110104 1397367258.353 172.27.71.14 
1110104 1397367258.698 172.27.71.14 
1110104 1397367259.079 172.27.71.14 
1110104 1397367260.879 172.27.71.14 
1110104 1397367260.880 172.27.71.14 
1110104 1397367261.250 172.27.71.14 
1110104 1397367261.254 172.27.71.14 
1110104 1397367264.594 172.27.71.13 
1110104 1397367264.620 172.27.71.13 
1110104 1397367264.948 172.27.71.14 
1110104 1397367264.960 172.27.71.14 
1110104 1397367265.331 172.27.71.14 
1110104 1397367265.340 172.27.71.14 
1110104 1397367265.710 172.27.71.14 
1110104 1397367266.072 172.27.71.14 
1110104 1397367266.157 172.27.71.14 
1110104 1397367266.420 172.27.71.14

now since there are like millions of lines like this my approach is taking hours

firstLine=`cat data.log | head -1`

user1=`echo $firstLine | cut -d " " -f1`
time1=`echo $firstLine | cut -d " " -f2 | cut -d "." -f1`
ip1=`echo $firstLine | cut -d " " -f3`

while read -r line; do
       user2=`echo $line | cut -d " " -f1`
       time2=`echo $line | cut -d " " -f2 | cut -d "." -f1`
       ip2=`echo $line | cut -d " " -f3`
       if [ "$user1" = "$user2" ] && [ "$ip1" != "$ip2" ] && [ $(($time2-$time1)) -lt 600]  # time diff is lass than 10 minutes
       then
            echo "user "$user1 
            echo "at "`date -d @$time1` " using "$ip1 " and after "$(($time2-$time1))" seconds using "$ip2
       elif [ "$user1" != "$user2" ]
       then
            a1=$a2
            b1=$b2
            c1=$c2
       fi
    done < data.log

After processing I want the information as the users who are logged in from different ip eg.

user 1110104 
at jan 18 12:33:12 (full date time).... using 172.27.71.14 and after 5 seconds using 172.27.71.13

that means there are two persons using the very same user name and password from two different ip.

I hope it'll make the question more clear.

4

1 回答 1

1

你想做的是

  1. 按用户 ID 和时间对行进行排序
  2. 迭代线路,如果相邻线路有不同的IP,考虑时间增量

未经测试的代码

sort -k1,2 datafile \
  | awk 'BEGIN { user="" ; ip="" ; time=0 }
         user=="" { user=$1 }
         ip=="" { ip=$3 }
         $1 != user { user=$1 ; next }
         $3 != ip && $2-time < 600 { print $0,"vs.",ip,"@",time }
         { time=$2 ; ip=$3 }'

不过,这可能需要一些修补。

于 2014-04-23T12:38:13.213 回答