我想使用regexp从下面的输出中排除地址为10.0.0.2的行。
我的命令:
cat /var/log/secure | egrep '\s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?nessus from \S+'
输出:
Aug 28 09:58:18 server34 sshd[13567]: Failed password for invalid user nessus from 10.0.0.4 port 33254 ssh2
Aug 28 09:58:57 server34 sshd[13577]: Failed password for invalid user nessus from 10.0.0.4 port 33366 ssh2
Aug 28 10:01:09 server34 sshd[13854]: Failed password for invalid user nessus from 10.0.0.4 port 33841 ssh2
Aug 28 10:01:30 server34 sshd[13932]: Failed password for invalid user nessus from 10.0.0.4 port 34074 ssh2
Aug 28 10:01:48 server34 sshd[13957]: Failed password for invalid user nessus from 10.0.0.4 port 36108 ssh2
Aug 28 10:01:50 server34 sshd[13959]: Failed password for invalid user nessus from 10.0.0.4 port 36540 ssh2
Aug 29 03:29:11 server34 sshd[7461]: Failed password for invalid user nessus from 10.0.0.2 port 46375 ssh2
Aug 29 03:29:54 server34 sshd[7475]: Failed password for invalid user nessus from 10.0.0.2 port 34047 ssh2
Aug 29 03:31:51 server34 sshd[8335]: Failed password for invalid user nessus from 10.0.0.2 port 47509 ssh2
Aug 29 03:31:58 server34 sshd[8355]: Failed password for invalid user nessus from 10.0.0.2 port 48692 ssh2
Aug 29 03:32:42 server34 sshd[8423]: Failed password for invalid user nessus from 10.0.0.2 port 54580 ssh2
Aug 29 03:32:49 server34 sshd[8425]: Failed password for invalid user nessus from 10.0.0.2 port 55557 ssh2
我想坚持使用regexp(以当前格式),因为这是SCOM在Linux中scans log files时使用的内容。
答案 0 :(得分:1)
您可以移除无用的cat
并使用其他grep -v
进行排除:
egrep '\s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?nessus from' /var/log/secure | \
grep -F -v '10.0.0.2'
使用单grep
来执行此操作:
grep -P '(?!.*?10\.0\.0\.2)\s+sshd\[[[:digit:]]+\]: Failed password for (invalid user )?nessus from \S+' file
Aug 28 09:58:18 server34 sshd[13567]: Failed password for invalid user nessus from 10.0.0.4 port 33254 ssh2
Aug 28 09:58:57 server34 sshd[13577]: Failed password for invalid user nessus from 10.0.0.4 port 33366 ssh2
Aug 28 10:01:09 server34 sshd[13854]: Failed password for invalid user nessus from 10.0.0.4 port 33841 ssh2
Aug 28 10:01:30 server34 sshd[13932]: Failed password for invalid user nessus from 10.0.0.4 port 34074 ssh2
Aug 28 10:01:48 server34 sshd[13957]: Failed password for invalid user nessus from 10.0.0.4 port 36108 ssh2
Aug 28 10:01:50 server34 sshd[13959]: Failed password for invalid user nessus from 10.0.0.4 port 36540 ssh2