将网络服务器记录的 IP 地址转换为 DNS

tag-icon tag-icon bash networking dns ip bash-script
将网络服务器记录的 IP 地址转换为 DNS

我正在尝试使用 bash 脚本来处理网络服务器日志文件,并将其找到的任何 IP 替换为相应的 DNS 主机名。

日志文件中的单行条目示例如下:

<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=192.168.1.6 DST=192.168.1.1 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51

(出于示例目的,我更改了上行中的所有私人详细信息)。

因此,上面的两个字段 SRC=192.168.1.6 和 DST=192.168.1.1 包含 IP 地址,我需要将其转换为 DNS 主机名(我知道它们只是内部地址,这只是作为示例)。

这是我到目前为止为我的脚本想出的内容:

#!/bin/bash

logFile=$1

while read line
do
    for word in $line
    do

            # if word is ip address change to hostname
            if [[ $word =~ 'DST='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
            then
                    # check if ip address is correct
                    ip=($word) | cut -d'=' -f 2
                    echo -n `nslookup $word | grep Name | cut -d' ' -f 8`
                    echo -n " "
            # else print word
            else
                    echo -n $word
                    echo -n " "
            fi
    done
    # new line
    echo
done < "$logFile"

让我困惑的部分是将 DST= 和 SRC= 字段解释为 IP 地址,我不太确定在 DNS 处理之前将其删除的语法,然后在 DNS 处理之后将其添加回来,或者如果有有更好的办法吗?

我提前搜索了论坛,发现了以下文章: 使用标准命令行工具解析命令输出中的所有 IP 地址

然而,考虑到我的日志文件的格式,它似乎不起作用。

答案1

@Dave,检查下面的脚本:

输入文件示例

[mihai@image-host-1 tmp]$ cat demo.log
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=166.78.125.161 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=166.78.125.162 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=166.78.125.163 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=166.78.125.164 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=hostnamesrc DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=166.78.125.164 DST=hostnamedst LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
    <12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=hostnamesrc DST=hostnamedst LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
  • 包含有效(DNS 可解析 IP)
  • 包含无效 IP (*.61. *.63)
  • 包含主机名作为 SRC

样本输出

[mihai@image-host-1 tmp]$ ./demo.sh demo.log
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=NODNS-166.78.125.161 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=bangimage.com. DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=NODNS-166.78.125.163 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=NODNS-166.78.125.164 DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=hostnamesrc DST=173.194.46.38 LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=NODNS-166.78.125.164 DST=hostnamedst LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51
<12>1 2013-11-04T15:04:05+00:00 networkname kernel - - - kernel: [161030.740000] ACCEPT IN=br0 OUT= MAC=00:11:22:33:44:11:00:11:11:11:11:11:11:11 SRC=hostnamesrc DST=hostnamedst LEN=71 TOS=0x00 PREC=0x00 TTL=64 ID=30324 DF PROTO=UDP SPT=43729 DPT=53 LEN=51

实际脚本

[mihai@image-host-1 tmp]$ cat demo.sh
#!/bin/bash

logFile=$1

while read logLine
do
        # For each log line, find the SRC
        # If needed, this can be extended to DSC as well
        # ----------------------------------------------
        logSRC=`echo $logLine | awk '{print $14}' | awk -F "=" '{print $2}'`
        # echo "SRC = ${logSRC}"

        # Test if SRC is an IP or not
        # ---------------------------
        if [[ ${logSRC} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
        then
                # echo "${logSRC} is IP"

                # Convert IP into hostname via reverse DNS lookup
                # -----------------------------------------------
                logSRCHOST=`host ${logSRC} | awk '{print $NF}'`

                if [[ ${logSRCHOST} =~ 'NXDOMAIN' ]];
                then
                        logSRCHOST="NODNS-${logSRC}"
                fi
        else
                logSRCHOST=${logSRC}

        fi

        # echo "FINAL SRC = ${logSRCHOST}"

        echo $logLine | sed -e "s/SRC.*DST/SRC=${logSRCHOST} DST/g"

done < "$logFile"

答案2

对数解析

logresolve如果这些是 Apache 日志,您可以使用Apache 附带的工具来为您完成这项工作。

替代 shell 脚本

我还发现了这个问题与解答,标题为:将日志中的 IP 替换为主机名。该问题的公认答案包括以下用于将 IP 转换为 DNS 主机名的 shell 脚本。

#!/bin/bash

logFile=$1

while read line
do
  for word in $line
  do
    # if word is ip address change to hostname
    if [[ $word =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]
    then
      # check if ip address is correct
      OIFS=$IFS
      IFS="."
      ip=($word)
      IFS=$OIFS
      if [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
      then
        echo -n `host $word | cut -d' ' -f 5`
        echo -n " "
      else
        echo -n "$word"
        echo -n " "
      fi
    # else print word
    else
        echo -n $word
        echo -n " "
    fi
  done
  # new line
  echo
done < "$logFile"

将上面的脚本保存到文件名中ip_to_hostname.sh,然后像这样运行:

$ ./ip_to_hostname.sh your_logfile > resolved_ip

相关内容