How to get the users logged in from two differnt IPs using squid log

Question

I have a squid log, and I have to find out the users who are logged in from two different IPs ( their password may be compromised )

I have extracted three info (user, time, ip) from the log and stored in another file

1110104 1397367240.280 172.27.71.14
1110104 1397367242.439 172.27.71.14 
1110104 1397367245.805 172.27.71.14 
1110104 1397367246.120 172.27.71.14 
1110104 1397367249.770 172.27.71.14 
1110104 1397367255.125 172.27.71.14 
1110104 1397367255.503 172.27.71.13 
1110104 1397367257.255 172.27.71.13 
1110104 1397367257.596 172.27.71.13 
1110104 1397367257.956 172.27.71.14 
1110104 1397367258.353 172.27.71.14 
1110104 1397367258.698 172.27.71.14 
1110104 1397367259.079 172.27.71.14 
1110104 1397367260.879 172.27.71.14 
1110104 1397367260.880 172.27.71.14 
1110104 1397367261.250 172.27.71.14 
1110104 1397367261.254 172.27.71.14 
1110104 1397367264.594 172.27.71.13 
1110104 1397367264.620 172.27.71.13 
1110104 1397367264.948 172.27.71.14 
1110104 1397367264.960 172.27.71.14 
1110104 1397367265.331 172.27.71.14 
1110104 1397367265.340 172.27.71.14 
1110104 1397367265.710 172.27.71.14 
1110104 1397367266.072 172.27.71.14 
1110104 1397367266.157 172.27.71.14 
1110104 1397367266.420 172.27.71.14  

now since there are like millions of lines like this my approach is taking hours

firstLine=`cat data.log | head -1`

user1=`echo $firstLine | cut -d " " -f1`
time1=`echo $firstLine | cut -d " " -f2 | cut -d "." -f1`
ip1=`echo $firstLine | cut -d " " -f3`

while read -r line; do
       user2=`echo $line | cut -d " " -f1`
       time2=`echo $line | cut -d " " -f2 | cut -d "." -f1`
       ip2=`echo $line | cut -d " " -f3`
       if [ "$user1" = "$user2" ] && [ "$ip1" != "$ip2" ] && [ $(($time2-$time1)) -lt 600]  # time diff is lass than 10 minutes
       then
            echo "user "$user1 
            echo "at "`date -d @$time1` " using "$ip1 " and after "$(($time2-$time1))" seconds using "$ip2
       elif [ "$user1" != "$user2" ]
       then
            a1=$a2
            b1=$b2
            c1=$c2
       fi
    done < data.log

After processing I want the information as the users who are logged in from different ip eg.

user 1110104 
at jan 18 12:33:12 (full date time).... using 172.27.71.14 and after 5 seconds using 172.27.71.13

that means there are two persons using the very same user name and password from two different ip.

I hope it'll make the question more clear.

Answer 1

What you want to do is

1. sort the lines by userid and time
2. iterate the lines, if adjacent lines have different IPs, consider the time delta

Untested code

sort -k1,2 datafile \
  | awk 'BEGIN { user="" ; ip="" ; time=0 }
         user=="" { user=$1 }
         ip=="" { ip=$3 }
         $1 != user { user=$1 ; next }
         $3 != ip && $2-time < 600 { print $0,"vs.",ip,"@",time }
         { time=$2 ; ip=$3 }'

This will likely need some tinkering though.