GNU grep

grep prints lines that contain a match for a pattern. The general synopsis of the grep command line is grep options pattern input_file_names

There can be zero or more options. pattern will only be seen as such (and not as an input_file_name ) if it wasn’t already specified within options (by using the ‘ -e pattern ’ or ‘ -f file’ options). There can be zero or more input_file_names.

Matching Control

-e pattern
--regexp= pattern

Use pattern as the pattern. This can be used to specify multiple search patterns, or to protect a pattern beginning with a ‘ - ’. (-e is specified by POSIX.)

-f file
--file= file

Obtain patterns from file, one per line. The empty file contains zero patterns, and therefore matches nothing. (-f is specified by POSIX.)

-i
-y
--ignore-case

Ignore case distinctions, so that characters that differ only in case match each other. Although this is straightforward when letters differ in case only via lowercase-uppercase pairs, the behavior is unspecified in other situations. For example, uppercase “S” has an unusual lowercase counterpart “ſ” (Unicode character U+017F, LATIN SMALL LETTER LONG S) in many locales, and it is unspecified whether this unusual character matches “S” or “s” even though uppercasing it yields “S”. Another example: the lowercase German letter “ß” (U+00DF, LATIN SMALL LETTER SHARP S) is normally capitalized as the two-character string “SS” but it does not match “SS”, and it might not match the uppercase letter “ẞ” (U+1E9E, LATIN CAPITAL LETTER SHARP S) even though lowercasing the latter yields the former.

-y is an obsolete synonym that is provided for compatibility. (-i is specified by POSIX.)
-v
--invert-match

Invert the sense of matching, to select non-matching lines. (-v is specified by POSIX.)

-w
--word-regexp

Select only those lines containing matches that form whole words. The test is that the matching substring must either be at the beginning of the line, or preceded by a non-word constituent character. Similarly, it must be either at the end of the line or followed by a non-word constituent character. Word-constituent characters are letters, digits, and the underscore. This option has no effect if -x is also specified.

-x

--line-regexp

Select only those matches that exactly match the whole line. For a regular expression pattern, this is like parenthesizing the pattern and then surrounding it with ‘ ^ ’ and ‘ $’. (-x is specified by POSIX.) 

Examples: 

to find authentication logs for “root” on an debian system:

# grep "root" /var/log/auth.log

For example, we can see that when someone failed to login as an admin, they also failed the reverse mapping which means they might not have a valid domain name.

# grep -B 3 -A 2 'Invalid user' /var/log/auth.log

To find authentication logs at current system date

# grep  "$(date +%b) $(date +%e)" /var/log/auth.log | grep 'fail\|preauth'

To find authentication logs at current system hour 

# grep  "$(date +%b) $(date +%e) $(date +%H:)" /var/log/auth.log

To find mail logs at current system date

# grep  "$(date +%b) $(date +%e)" /var/log/mail.info

To find mail logs at one hour before current system date

# grep  "$(date --date="1 hours ago" +%b) $(date --date="1 hours ago" +%e)" /var/log/mail.info

A list of date command field descriptors from http://www.cyberciti.biz/faq/unix-linux-bash-get-time/ (as a copy)

%% a literal %   %a locale's abbreviated weekday name (e.g., Sun)   %A locale's full weekday name (e.g., Sunday)   %b locale's abbreviated month name (e.g., Jan)   %B locale's full month name (e.g., January)   %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005)   %C century; like %Y, except omit last two digits (e.g., 20)   %d day of month (e.g., 01)   %D date; same as %m/%d/%y   %e day of month, space padded; same as %_d   %F full date; same as %Y-%m-%d   %g last two digits of year of ISO week number (see %G)   %G year of ISO week number (see %V); normally useful only with %V   %h same as %b   %H hour (00..23)   %I hour (01..12)   %j day of year (001..366)   %k hour, space padded ( 0..23); same as %_H   %l hour, space padded ( 1..12); same as %_I   %m month (01..12)   %M minute (00..59)   %n a newline   %N nanoseconds (000000000..999999999) %p locale's equivalent of either AM or PM; blank if not known   %P like %p, but lower case   %r locale's 12-hour clock time (e.g., 11:11:04 PM)   %R 24-hour hour and minute; same as %H:%M   %s seconds since 1970-01-01 00:00:00 UTC   %S second (00..60)   %t a tab   %T time; same as %H:%M:%S   %u day of week (1..7); 1 is Monday   %U week number of year, with Sunday as first day of week (00..53)   %V ISO week number, with Monday as first day of week (01..53)   %w day of week (0..6); 0 is Sunday   %W week number of year, with Monday as first day of week (00..53)   %x locale's date representation (e.g., 12/31/99)   %X locale's time representation (e.g., 23:13:48)   %y last two digits of year (00..99)   %Y year   %z +hhmm numeric time zone (e.g., -0400)   %:z +hh:mm numeric time zone (e.g., -04:00)   %::z +hh:mm:ss numeric time zone (e.g., -04:00:00)   %:::z numeric time zone with : to necessary precision (e.g., -04, +05:30)   %Z alphabetic time zone abbreviation (e.g., EDT) By default, date pads numeric fields with zeroes. The following optional flags may follow '%':   - (hyphen) do not pad the field   _ (underscore) pad with spaces   0 (zero) pad with zeros   ^ use upper case if possible   # use opposite case if possible

References:

• http://www.gnu.org/software/grep/manual/grep.html 
• https://www.loggly.com/ultimate-guide/analyzing-linux-logs/ 
• http://www.cyberciti.biz/faq/unix-linux-bash-get-time/