I have this script where I print how many times an ip has failed to connect, and at what date this IP made its last try, it looks like this.
#!/bin/bash
searchString=$1
file=$2
countLines()
{
declare -A ipCount
declare -A lastDate
cnt=0
while read line;
do
((cnt+=1))
ipaddr=$( echo "$line" | grep -o -E '(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' )
lastDate[$ipaddr]=$( echo "$line" | grep -o -E '[a-zA-Z][a-zA-Z][a-zA-Z]\ [0-3][0-9]\ [0-2][0-9]\:[0-2][2-9]\:[0-2][2-9]' )
((ipCount[$ipaddr]+=1))
done
printf "%-18s %-10s %s\n" "IP" "Count" "lastDate"
echo "-------------------------------------------------"
for ip in ${!ipCount[*]}
do
printf "%-18s %-10s %s\n" "$ip" "${ipCount[$ip]}" "${lastDate[$ip]}"
done | sort
echo "--------------------------------------------------"
echo "Count: $cnt"
}
grep "$searchString" $file | countLines
The file I try this on looks like this, but bigger
May 16 06:41:38 aprs sshd[25951]: Failed password for root from 137.241.229.226 port 2008 ssh2
May 16 06:41:40 aprs sshd[25951]: Failed password for root from 137.241.229.226 port 2008 ssh2
May 16 06:41:43 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2
May 16 06:41:46 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2
May 16 06:41:48 aprs sshd[25951]: Failed password for root from 37.141.229.226 port 2008 ssh2
and what I get is this
IP Tries LastDate
-----------------------------------------------
37.141.229.226 205
137.241.229.226 705 May 16 07:08:24
-----------------------------------------------
Count: 910
As you can see, I only get 'lastDate' on one of the IP's, this also happens on the big log file, I guess it's really simple, but I can't find out why, can you help me?
I run the script like: bash scriptname.sh "Failed password for root" logFile
