The goal here is to craft a query whereby an IP address is suppled, and the result returned is a list of all urls accessed. The syslog file is a text file, tab-delimited, in the following format:
2008-05-21 08:49:58 Local6.Notice 10.13.30.2 %PIX-5-304001: 10.17.90.10 Accessed URL 206.190.50.59:/serv?s=150550015&dm=&t=0.9166543242483984&t_e=1
2008-05-21 08:49:59 Local6.Notice 10.13.30.2 %PIX-5-304001: 10.17.40.58 Accessed URL 65.175.87.137:/a/hBINA-xAdIUrHB7REIJBNCvLK.AdIUrHSd/spacer-1.gif
2008-05-21 08:49:59 Local6.Info 10.13.30.2 %PIX-6-302014: Teardown TCP connection 122281117 for outside:65.175.87.137/80 to inside:10.17.40.58/2385 duration 0:00:01 bytes 804 TCP FINs
2008-05-21 08:50:00 Local6.Info 10.13.30.2 %PIX-6-305011: Built dynamic TCP translation from inside:10.17.50.70/1614 to outside:216.185.22.100/47811
2008-05-21 08:50:00 Local6.Info 10.13.30.2 %PIX-6-302013: Built outbound TCP connection 122281118 for outside:206.16.21.33/80 (206.16.21.33/80) to inside:10.17.50.70/1614 (216.185.22.100/47811)
2008-05-21 08:50:00 Local6.Info 10.13.30.2 %PIX-6-305011: Built dynamic TCP translation from inside:10.17.50.70/1615 to outside:216.185.22.100/47812
The query is something along the lines of :
Logparser -i:tsv "Select * FROM file\path WHERE Field4 Like "inside:10.17.90.78" -iSeparator:tab -headerRow:off
Field4 returns the "%" sign and everything to the right of it. I guess what I need is to tokenize the string and search for IP's but I am not sure how to go about that.
Any ideas greatly appreciated.