How to use grep in way, where I can only get the word I want from a textfile?

Question

I am trying to grep /var/log/secure to find the unique IP addresses that tried to use my instance. Every time, I try to grep I get the lines where the IP is located. How can I grep in a way where I just get the IP I want and store it in a text file. I'll post examples to clarify what I am looking for.

This is a sample /var/log/secure file:

Oct  9 22:45:48 ip-172-26-14-23 sshd[18080]: Disconnected from 34.101.251.82 port 59344 [preauth]
Oct  9 22:46:41 ip-172-26-14-23 sshd[18082]: Did not receive identification string from 209.17.97.18 port 64550
Oct  9 22:47:23 ip-172-26-14-23 sshd[18083]: Connection closed by 74.120.14.52 port 44578 [preauth]
Oct  9 22:54:03 ip-172-26-14-23 sshd[18088]: Invalid user cisco from 106.13.233.5 port 44180
Oct  9 22:54:03 ip-172-26-14-23 sshd[18088]: input_userauth_request: invalid user cisco [preauth]
Oct  9 22:54:03 ip-172-26-14-23 sshd[18088]: Received disconnect from 106.13.233.5 port 44180:11: Bye Bye [preauth]
Oct  9 22:54:03 ip-172-26-14-23 sshd[18088]: Disconnected from 106.13.233.5 port 44180 [preauth]
Oct  9 22:56:53 ip-172-26-14-23 sshd[18090]: reverse mapping checking getaddrinfo for reaia.tumblles.com [141.98.9.32] failed - POSSIBLE BREAK-IN ATTEMPT!
Oct  9 22:56:54 ip-172-26-14-23 sshd[18090]: Connection closed by 141.98.9.32 port 34537 [preauth]
Oct  9 22:56:57 ip-172-26-14-23 sshd[18092]: reverse mapping checking getaddrinfo for kei.tumblles.com [141.98.9.33] failed - POSSIBLE BREAK-IN ATTEMPT!

So what I want is to grep var/log/secure and just print the unique ips that tried to use my instance in a textfile like this:

**Desired output:**
34.101.251.82
74.120.14.52
106.13.233.5
141.98.9.32
So on....
I might have missed some but you get the idea.

when I try to grep the file with the command: sudo grep 'from' /var/log/secure | awk {print $2} > ips.out. I get the following output to the file.

9
9
9
9
9
9
9
so on....

9 is the date The ideology behind the input is that the word "from" is next to the ip address. So grep should go there and print the word next it with awk{print $2}.

However, I want to extract all IPS from anywhere in the file, not just the IPS after "from". What I did above is the only way I could do it at the moment. I was thinking to run multiple commands and make a bash script that gets Ips from all locations.

PS: I only want IPs after from!

Answer 1

You can do it using positive look behind with grep, you have to use -P for Perl-compatible regular expressions, also -o prints only the matched string.

> grep -Po "(?<=from )[0-9]{1,3}(\.[0-9]{1,3}){3}" file
34.101.251.82 
209.17.97.18 
106.13.233.5 
106.13.233.5 
106.13.233.5 

The initial part inside parentheses, the "from ", will be first matched, but ignored for the -o option, only the part after that will be considered.

This part is a simple expression to match an IP, meaning:

[0-9]{1,3}     (\.       [0-9]{1,3}) {3}
1-3 digits and (dot with 1-3 digits) {3 times more}

that's 4 numbers with maximum 3 digits, separated by dots.

See more about matching an IP into this question

Answer 2

Based on shown samples only, could you please try following, written and tested in following link https://ideone.com/bQGspU

awk '
BEGIN{
  FS="from[[:space:]]+|[[:space:]]+port"
}
$2~/^[0-9]{1,3}(\.[0-9]{1,3}){3}$/{
  print $2
}
' Input_file

Answer 3

with GNU awk multi-char RS

awk -v RS="[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}" 'RT{print RT}' file

34.101.251.82
209.17.97.18
74.120.14.52
106.13.233.5
106.13.233.5
106.13.233.5
141.98.9.32
141.98.9.32
141.98.9.33
141.98.9.33

and the uniq command removes the adjacent duplicate lines

$ awk -v RS="[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}" 'RT{print RT}' file | uniq
34.101.251.82
209.17.97.18
74.120.14.52
106.13.233.5
141.98.9.32
141.98.9.33