Home/ Questions/Q 7641351
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T08:54:00+00:00

I’m required to analyse a system log. I’ve been told that I should split

  • 0

I’m required to analyse a system log. I’ve been told that I should split a list and then iterate through it to find an ip address. This is a small part of the log. There are duplicate entries therefore I must only take notice of the lines which contain the words “Failed password for from root”. 

Jan 10 09:32:07 j4-be03 sshd[3876]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.173.35  user=root
Jan 10 09:32:09 j4-be03 sshd[3876]: Failed password for root from 218.241.173.35 port 47084 ssh2
Jan 10 09:32:17 j4-be03 sshd[3879]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.173.35  user=root
Jan 10 09:32:19 j4-be03 sshd[3879]: Failed password for root from 218.241.173.35 port 47901 ssh2
Jan 10 09:32:26 j4-be03 sshd[3881]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.241.173.35  user=root
Jan 10 09:32:29 j4-be03 sshd[3881]: Failed password for root from 218.241.173.35 port 48652 ssh2

Here is my code so far, bit of psuedo code aswell.

f=open('auth','r')
count=0 
for line in f:
    if "failed password for root from" in line:
count +=1
if count>=13:
    take the ip address, remove duplicates and print the address

If there are 13 or more attempts from one ip address this address must be added to a file. I understand how to write a new file, however if possible a small example would be handy. I am familiar with .append

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Probably easier to use re:

    re_ips = r'Failed password for (?:root|invalid user\s?.*) from ((?:\d{1,3}\.){3}\d{1,3}) '

    This will get you all the IP addresses from the relevant lines. Here’s an example of how to use this regex to print the IPs that recur 13 or more times to the file bad_ips.log:

    from collections import defaultdict
import re

ip_freq = defaultdict(int)
with open("auth", "r") as fh:
    for match in re.finditer(r'Failed password for (?:root|invalid user\s?.*) from ((?:\d{1,3}\.){3}\d{1,3}) ', fh.read()):
        ip_freq[match.group(1)] += 1

with open("bad_ips.log", "w") as fh:
    for ip, n in ip_freq.iteritems():
        if n>=13:
            print >>fh, ip

    edit: updated regex per your new request.

    edit2: updated regex again to match correctly invalid user xxxx in log file.

    edit3: tidied up example

    • 0