Searching GZipped Log Files March 18, 2014
Posted by Robert Harder in Utility.Tags: command line, gzip, log, mac, shell, ssh, unix
2 comments
I have a few handy scripts for searching through log files, especially monitoring SSH login attempts. I cannot just grep through log files however, because the log files get “rolled”: compressed, and archived.
rob@kanga:/var/log $ ls -lh system.log* -rw-r-----@ 1 root admin 289K Mar 18 17:16 system.log -rw-r----- 1 root admin 79K Mar 18 00:00 system.log.0.gz -rw-r----- 1 root admin 39K Mar 17 00:02 system.log.1.gz -rw-r----- 1 root admin 36K Mar 16 00:02 system.log.2.gz -rw-r----- 1 root admin 35K Mar 15 00:02 system.log.3.gz -rw-r----- 1 root admin 25K Mar 14 00:01 system.log.4.gz -rw-r----- 1 root admin 69K Mar 13 00:01 system.log.5.gz -rw-r----- 1 root admin 68K Mar 12 00:01 system.log.6.gz rob@kanga:/var/log $
Suppose you want to grep through your log files for SSH login activity, you can do it like this:
rob@kanga:/var/log $ { cat /private/var/log/system.log ; gunzip -c /private/var/log/system.*.gz ; } | grep sshd | wc -l
11364
rob@kanga:/var/log $
The magic happens in the curly braces, which concatenates the standard output of all enclosed commands. Be sure to include a semicolon after the last command, right before the closing curly brace.
An even shorter example:
rob@kanga:/var/log $ { echo hello ; echo world ; } | cat -n
1 hello
2 world
rob@kanga:/var/log $
Robert Harder 