查看日志的技巧

取出/var/log/secure中一小时内登录失败超过三次的IP

前两个字段是日期，第三个字段是小时，第四个字段是IP
cat /var/log/secure | sort -i | awk -F '[ :]' '/Failed/{a[$1" "$2" "$3" "$4" "$(NF-3)]++}END{for(i in a)if(a[i]>3)print i}'

s="Jul 7 13:49:08"
sed -n "/$s/,$ p" /var/log/secure | awk '/Failed/{a[$(NF-3)]++}END{for(b in a){if(a[b]>2){print b}}}'