Category: Snippet - Ash Davies

How to parse a log file for unique krb5 basic authentications

April 6, 2022

A handy one-liner for parsing krb5 basic auth attempts from an apache log file.
Deprecated: mb_convert_encoding(): Handling HTML entities via mbstring is deprecated; use htmlspecialchars, htmlentities, or mb_encode_numericentity/mb_decode_numericentity instead in /usr/src/wordpress/wp-content/themes/ashdavies/functions.php on line 120
The below command will parse a series of historic apache2 log files and present back a list of unique, fully-qualified, alphabetically sorted, Kerberos usernames that logged in using Basic HTTP authentication. It’s assumed that you have the krb5 module installed for Apache.
```
zcat error.log*gz | grep '$DATE' | grep 'kerb_authenticate_user_krb5pwd' | awk '{ print $14 }' | sort -u | sed -E 's/user=//
```
Results in:
```
userA@DOMAIN
userB@DOMAIN
userC@DOMAIN
userD@DOMAIN
userE@DOMAIN
```