Replace IP addresses with host names in the log

Question

Replace IP addresses with host names in the log

I am looking for a bash script that reads a log and replaces IP addresses with a hostname. Does anyone know how to do this?

+4

linux bash dns ip-address

zkxs Mar 20 '12 at 3:42

source share

5 answers

Speaking of IPv4: you can create a list of sed commands from your hosts file:

 sed -rn 's/^(([0-9]{1,3}\.){3}([0-9]{1,3}))[ \t]([^ \t]+)[ \t].*/s#\1#\4#/p' /etc/hosts > hosts.sed

Then apply it in your log file:

 sed -f hosts.sed LOGFILE

Of course, your hostnames must be listed in the host file.

Another, reverse approach would be to use logresolve .

From the man page:

 NAME logresolve - Resolve IP-addresses to hostnames in Apache log files SYNOPSIS logresolve [ -s filename ] [ -c ] < access_log > access_log.new SUMMARY logresolve is a post-processing program to resolve IP-addresses in Apache access logfiles. To minimize impact on your nameserver, logresolve has its very own internal hash-table cache. This means that each IP number will only be looked up the first time it is found in the log file. Takes an Apache log file on standard input. The IP addresses must be the first thing on each line and must be separated from the remainder of the line by a space.

So, you can use REGEX to extract all IP addresses, put them 2 times in a new file, once in the first column and convert it using logresolve. Then use this table to create such a sedfile as above.

+1

user unknown Mar 20 '12 at 5:53

source share

The decision can be made as follows:

f = 72.30.38.140
hostname = nslookup $ip | grep name nslookup $ip | grep name
hostname = $ {hostname # * name =}
hostname = $ {hostname%.}

Thus, IP addresses do not have to be in / etc / hosts.

The script itself depends on how your log looks. Can you send an example?

+1

Eran ben-natan Mar 20 '12 at 7:30

source share

This is a modified version of the wisent script. As a result, I used:

 #!/bin/bash logFile=$1 while read line do for word in $line do # if word is ip address change to hostname if [[ $word =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\:[0-9]{1,5}$ ]] then port=$(echo "$word" | sed -e "s/.*://") word=$(echo "$word" | sed -e "s/:.*//") OIFS=$IFS IFS="." ip=($word) IFS=$OIFS # check if ip address is correct and not 192.168.* if [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 && ${ip[0]}${ip[1]} -ne 192168 ]] then host=$(host $word | cut -d' ' -f 5) if [[ $host =~ ^[0-9]{1,3}\(.*\)$ ]] # check for resolver errors then # if the resolver failed echo -n "$word" echo -n ":$port" echo -n " " else # if the resolver worked host=$(echo "$host'" | sed -e "s/\.'//" | sed ':a;N;$!ba;s/.*\n//g') # clean up cut output echo -n "$host" echo -n ":$port" echo -n " " fi else # if the ip address isn't correct echo -n "$word" echo -n ":$port" echo -n " " fi # else print word else echo -n $word echo -n " " fi done # new line echo done < "$logFile"

0

zkxs Mar 20 '12 at 20:50

source share

I added this to my .bashrc a while ago ...

 function resolve-hostname-from-ip() { if [ ! $1 ] then echo -e "${red}Please provide an ip address...${no_color}" return 1 fi echo "" | traceroute $1|grep " 1 "|cut -d ' ' -f4|cut -d '.' -f1 }

I have predefined terminal colors, so you can omit them if you want. = D

 [ root@somehostname ~ 08:50 AM] $ resolve-hostname-from-ip 111.22.33.444 someotherhostname

I have successfully tested this on RHEL and SUSE. I have not tested it for IP outside my domain, although, therefore, I am not 100% sure that it will work in all cases ... I hope this helps =)

0

Will charlton Oct 17 '13 at 15:18

source share

wisent · Accepted Answer · 2012-03-20T08:14:16+0000

The following script should work. You can use it as follows:

save it to ip_to_hostname.sh and then:

./ip_to_hostname.sh your_logfile> resol_ip

#!/bin/bash logFile=$1 while read line do for word in $line do # if word is ip address change to hostname if [[ $word =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] then # check if ip address is correct OIFS=$IFS IFS="." ip=($word) IFS=$OIFS if [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] then echo -n `host $word | cut -d' ' -f 5` echo -n " " else echo -n "$word" echo -n " " fi # else print word else echo -n $word echo -n " " fi done # new line echo done < "$logFile"

Replace IP addresses with host names in the log

More articles: