Grepping failed connections from OpenLDAP log

Jurjen Bokma

July 2011


Connections lost are shown in the OpenLDAP log on lines of their own, not showing the IP of the host at the other end. They do show the connection number, and it has a corresponding line telling the server ACCEPTed it, and that line does show the IP. Now to get the IPs of hosts losing their connections...

  1. user@host:~$grep -o 'conn=[0-9]* fd=[0-9]* closed (connection lost)' ldap.log|awk '{print $1}'|sort > patterns

    patterns now looks like:

    <snip>
    conn=15381
    conn=22922
    conn=15378
    conn=24178
    <snip>
    		

  2. user@host:~$ grep -o 'conn=[0-9]* fd=[0-9]* ACCEPT from IP=[0-9.]*' ldap.log > ACCEPTS

    (Throw away part of the line to make subsequent greps faster.)

  3. user@host:~$ for LINE in $(cat patterns) ; do grep $LINE ACCEPTS ; done|grep -o 'IP=[0-9.]*'|awk -F= '{print $2}'|sort|uniq -c|sort -rn > lost

    [Note]Note

    Using a loop like this appears to be many orders of magnitude faster than using the -f option of grep.