Home/ Questions/Q 9180565
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T18:05:23+00:00

So I am trying to parse FTP logs and see if a certain user

  • 0

So I am trying to parse FTP logs and see if a certain user is logging in securely. So far I have this to pull the next couple of lines after the user logs in

cat proftpd.log.2 | grep -B 3 "USER $sillyvariable"

and this is a sample output it creates

::ffff:127.0.0.0 UNKNOWN ftp [04/Jan/2013:11:03:06 -0800] "AUTH TLS" 234 -
::ffff:127.0.0.0 UNKNOWN ftp [04/Jan/2013:11:03:06 -0800] "USER $sillyvariable" 331 -

Now this is a perfect example of what I want, it displays the AUTH TLS Message and the IPs match. However this is not always the case as many users are constantly logging in and out and most of the time the output is jumbled.

Is there a way I can grep for the USER $sillyvariable and find his/her matched IP containing the “AUTH TLS” in the preceding line so I can know they logged in securely? I guess you can say I want to grep the user and then grep backwards to see if the connection they originated from (matching IPs) was secure. I’m kind of stuck on this and could really use some help.
Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    $ grep -B3 'USER $sillyvariable' proftpd.log.2 |
  tac | awk 'NR==1 {IP=$1} $1==IP {print}' | tac
::ffff:127.0.0.0 UNKNOWN ftp [04/Jan/2013:11:03:06 -0800] "AUTH TLS" 234 -
::ffff:127.0.0.0 UNKNOWN ftp [04/Jan/2013:11:03:06 -0800] "USER $sillyvariable" 331 -

    This uses tac to reverse the lines in the grep result. It then looks for all lines where the IP addresses match the one in the USER line. Finally it runs tac again to put the lines back in the original order.

    • 0