Table of contents
sort command: sort the content in units of lines, and sort by ASCII code by default
AWK Commands: Commands for Processing Text Files
1. History file command
- #Root user's command log location (in bash environment)
/root/.bash_history
- #Every user has a hidden .bash_history
/home/<account>/.bash_history
- Or use directly on the command line
# cat .bash_history
- View historical commands
# history
- Clear history command (need to take effect in the case of bash, otherwise an error will be reported)
# history -c (you can clear all the output commands of this login, but not clear the .bash_history file, so after the next login, the old commands will still appear)
- #Root user's command log location ( in the zsh environment )
/root/.zsh_history
- Clear history commands ( in zsh environment )
# rm -rf /root/.zsh_history (this is to delete the file, and -rf is generally not recoverable, use with caution)
# echo "" > .zsh_history
2. User login log
/var/log/lastlog (last login information of each user)
/var/log/wtmp (login/logout of each user, system startup/shutdown)
/var/log/utmp (currently logged in user information)
/var/ log/vtmp (all failed login messages)
Take /var/log/wtmp as an example, opening is garbled (binary stream file)
last -f /var/log/wtmp formatted output of this binary stream file
3. System log
The /var directory stores files that are normally changed by the system, such as cache, login files, files generated by program running, etc.
Store log files under /var/log
- View information about scheduled task runs, including run dates
#cat /var/log/cron
- Check the installation log
#cat /var/log/yum.log View installation log
- See what is loaded each time the host boots
#cat /var/log/boot.log content loaded each time the host boots
4. Linux log viewing skills
-
| grep search filter
"-E" retrieves content in the form of regular expressions by specifying the parameter big E
# cat /var/log/secure | grep -E “192.168.222.1.*9952 ssh2”
Or use the egrep command, you can use the regular expression directly without -E
# cat /var/log/secure | egrep “192.168.222.1.*9952 ssh2”
"-e" sets multiple retrieval conditions by specifying the parameter e, but the relationship is or
cat /var/log/secure | grep -e “Accepted” -e “Failed”
Multiple | grep can achieve conditional retrieval with
cat /var/log/secure | grep -e “Accepted” -e “Failed” | grep “34406”
"-v" means negation, which is equivalent to not
cat /var/log/secure | grep -e “Accepted” -e “Failed” | grep -v “34406”
我的kali里没有secure这个日志,这里用boot.log代替
cat boot.log | grep -e "Started"
cat boot.log | grep "Started" | grep "Daily"
cat boot.log | grep -e "Started" -e "Daily"
-
Uniq命令:检查以删除文本文件重复出现的行/列;当重复的两行不相邻时不起作用,需要结合排序命令sort
Uniq -c可以统计该行出现的次数
Cat testfile | sort | uniq -c
在testfile文件里随机写入下面内容
该命令就会帮我们统计次数,那如果不使用sort排序会怎样呢?
不使用sort,我们可以看到,它无法将不相邻的相同内容统计到一起
sort 命令:将内容以行为单位进行排序,默认以ASCII码排序
sort -n 按照数值大小排序
sort -r 按照相反的顺序进行排序
-
cut命令:从文件的每一行剪切字节、字符和字段并将这些字节、字符和字段写至标准输出。如果不指定File参数,cut命令将读取标准输入。
-d :自定义分隔符,默认为制表符
-f :指定显示哪个区域
-c :以字符为单位进行分割
# cut -d “ ” -f 11 /var/log/secure | egrep “^[1-9].*[1-9]$”
#cat secure | grep “Failed ” | cut -d “ “ -f 12 | sort | uniq -c
以boot.log为例,先按OK筛选,再按照" "分割,显示出第六块内容(为什么是第六块?因为[ OK ]之间都有两个空格)
cat boot.log | grep "OK" | cut -d " " -f 6
-
AWK命令:处理文本文件的命令
-F specifies the delimiter (default space), fs is a string or a regular expression
# awk -F " " '$6==”Accepted”{print $11}' /var/log/secure
($6==”Accepted”: if the content of the sixth block after division is equal to Accepted)
({print $11}: then Output the data content of the 11th block)
Note that here is $4 (represents the fourth piece of content separated by spaces)
cat boot.log | grep "OK" | awk -F " " '{print $4}'
Combine uniq and sort to complete the statistics
cat boot.log | grep "OK" | awk -F " " '{print $4}' | sort | uniq -c
5. supplement
Add a linux command that I am not familiar with
- View the first 10 lines of /etc/profile
# head -n 10 /etc/profile
- View the last 5 lines of /etc/profile
# tail -n 5 /etc/profile
- output the absolute path of the directory you are in
# pwd
- delete file rm
# rm file.txt delete files normally
# rm -r emptydir/ delete empty directory
# rm -rf mydir/ delete directory and all files under it (use with caution)
- mv move file path or rename
# mv file.txt /home/myfiles
# mv oldname.txt newname.txt
- View the command manual (man+command name)
# man mkdir
- Update the access and modification times of the specified files
# touch -m file name (modify the time of the file to the current time modification)
# touch newfile (create an empty file)
- chmod to change permissions
r (read only)\w (write)\x (execute)
r=4,w=2,x=1
# chmod 777 file (see the picture below, it should be easy to understand)
- View the running processes of the current shell session
# ps
- View system information
# uname -a