CompTIA Linux+ XK0-006 (V8) Practice Question

The correct command is grep "Failed password" /var/log/secure | awk '{print $1, $2, $3, $11}'.

Here's the breakdown:

• grep "Failed password" /var/log/secure first filters the log file to show only the lines containing the phrase "Failed password".
• The output of grep is then piped to awk.
• awk '{print $1, $2, $3, $11}' processes each line it receives. awk is a powerful tool for handling field-separated data. By default, it uses any sequence of whitespace as a delimiter, which makes it very robust for parsing log files where the number of spaces between fields can vary. It prints the first three fields ($1, $2, $3), which constitute the timestamp, and the eleventh field ($11), which is the source IP address.

Incorrect options explained:

• grep "Failed password" /var/log/secure | cut -d' ' -f1-3,11 is incorrect because cut with a single space delimiter (-d' ') is not reliable for parsing log files. If there are multiple spaces between fields, cut will treat them as empty fields, leading to incorrect output.
• awk '/Failed password/ {print $0}' /var/log/secure is incorrect because it does not perform the required extraction. The pattern /Failed password/ correctly filters the lines, but the action {print $0} prints the entire line ($0), not just the specific fields requested.
• sed -n '/Failed password/p' /var/log/secure is incorrect because, like the previous awk command, it only selects and prints the entire matching lines. sed can be used to extract parts of a line with complex regular expressions, but it is not the most direct or effective tool for field-based extraction compared to awk.