Please be sure of what you're checking for before you just write something to scan the logs though.

When first checking a system for what you think is suspicious activity, do it by hand to learn the system's quirks.

After paging through last with (more|less) a couple times, try to find a reasonable grep command or two that would find things you noticed while paging. Then check last (by paging through it again) to make sure that your grep command cought everything it was purposed towards.

Once you have a completely familial understanding with what you're looking for in the log, then writing a script to speed up the process is good because you can do your work faster at the same exactness. If you just start by writing a script you might leave something out that's important (albeit possibly only in certain cases).

Sorry to go off topic, and hopefully this didn't come out as a rant; i've just seen too many admins too worried about not having to scroll through logs to care about what they were actually trying to do when they did so (myself included :-). Perl is a boon to admins, but it shouldn't be a crutch.

HTH,
jynx

In reply to Re: Unix by jynx
in thread Unix by surfuno

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.