As I’ve pointed out in my last post, it’s obviously a good idea to have an eye on your logs. Also very obvious is the fact that the logs tend to be cluttered with the same sort of message endlessly repeated. But beware! Since the messages in the logs are automatically generated, they only seem to be the same. The information (although important) is often hidden in the last part of the message, out of reach if you read the logs with a text viewer without line-wrapping. Additionally, you can not generalize from the first 40 lines of a 10MB log file! Sadly, the human perception tends to take the short cut and make generalizations very quickly and tries to look only for similar entries further on. Hence you need a tool to make a quick search for one type of message, extract the relevant fields and display the results sorted (and counted if appropriate). I’ve put together a simple shell script looking for failed ssh logins in the auth.log and displaying a short summary of the IP addresses where the requests came from. #!/bin/sh grep "Invalid user " /var/log/auth.log | cut -d' ' -f11 > /tmp/$$.list grep "Did not receive identification string from " /var/log/auth.log | cut -d' ' -f13 >> /tmp/$$.list sort /tmp/$$.list | uniq -c | sort -n rm /tmp/$$.list This is surely not a very sophisticated tool nor are the results relevant without further investigation but it helps to decide if there is action to be taken or not.