C

Linux › Module 5 › Lesson 4

BeginnerModule 5Lesson 4/5

Lab — Hunt Through Logs

Practice grep and pipes on a sample auth log

25 min+40 XP
Module progress4 of 5

Opening

Be the analyst for five minutes

You have a chunk of auth log data. Your job: count failed logins, find who tried root, and save a short report—all with grep, pipes, and redirection.

1. Create Sample Log

mkdir -p ~/cyberlium-lab/logs && cd ~/cyberlium-lab/logs cat > auth-sample.log << 'EOF' Apr 2 10:01:01 server sshd[1001]: Failed password for root from 203.0.113.5 Apr 2 10:01:05 server sshd[1002]: Failed password for admin from 203.0.113.5 Apr 2 10:02:11 server sshd[1003]: Accepted password for analyst from 192.168.1.50 Apr 2 10:03:00 server sshd[1004]: Failed password for root from 198.51.100.9 Apr 2 10:03:02 server sshd[1005]: Failed password for root from 198.51.100.9 EOF

2. Investigation Tasks

1. Count all "Failed password" lines: grep "Failed password" auth-sample.log | wc -l 2. Show only failures targeting root: grep "Failed password for root" auth-sample.log 3. Save root failures to a report file: grep "Failed password for root" auth-sample.log > root-failures.txt cat root-failures.txt 4. Bonus: unique attacking IPs (advanced): grep "Failed password" auth-sample.log | awk '{print \$(NF-1)}' | sort -u

Complete Log Hunt Lab

Finish tasks 1–3. Your root-failures.txt should list two root failure lines. Understand what each pipe and grep does—not just copy-paste.

← Previous