One day you check logs and see your mail.log or access.log is 10 times bigger then usual. Need to find reason, and better to find it sooner!
For webserver, maybe someone is aggressively downloading/crawling/scraping your website or runs vulnerability scanner or bruteforce passwords. For mailserver, maybe someone is sending spam or bruteforce passwords. Or something else.
topip can quickly find top-N of IPv4 addresses in your logs.
topip /var/log/mail.log
...
8405 92.155.149.266
8496 35.142.45.298
66340 127.0.0.1
or
grep "SASL LOGIN authentication failed:" /var/log/mail.log | topip
with -g
key you can grep lines which has any IPv4 (and omit lines without IPv4). With -i
only IPv4 addresses will be printed.
topip -g /var/log/mail.log
Oct 9 05:48:25 mx postfix/smtpd[2166]: connect from unknown[191.211.100.228]
Oct 9 05:48:26 mx postfix/smtpd[2162]: connect from unknown[103.129.202.216]
Oct 9 05:48:30 mx postfix/smtpd[2166]: warning: unknown[191.211.100.228]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Topip is written in Golang and very fast.
You can achieve similar effect with sed/awk/sort/uniq, but isn't it easier to write topip filename.log
?
Top comments (0)