There was an issue with an unknown server sending out emails and getting the public IPs blacklisted, one of my colleagues came up with this line to find what that server was by searching the syslog.
grep 'Built outbound TCP connection' my-asa-log.log | grep '/25' | grep -v 'INSIDE:192.160.10.50' | awk -F " " '{print $15}' | awk -F "/" '{print $1} | sort | uniq -c
grep 'Built outbound TCP connection' my-asa-log.log
search for outbound connections in the ASA syslog file
grep '/25'
Search for connections to port 25
grep -v 'INSIDE:192.160.10.50'
Remove entires for 192.160.10.50 (the real email server)
awk -F " " '{print $15}'
Print column 15 which was
awk -F "/" '{print $1}'
I think this was the date
sort
sorts the data alpha numeric
uniq -c
Only shows one instance of an IP address and shows the count of how many times it appeared
No comments:
Post a Comment