Bash Scripting for Security: Log Parsing, Automation, and Recon
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
Bash is the lingua franca of Linux systems, and most security work happens on Linux. Whether you are parsing logs during an incident, automating reconnaissance, or chaining tools together during a pentest, Bash scripting gets results fast. You do not need to be a Bash expert, but you need enough proficiency to build useful tools quickly.
Log Parsing
Security analysts spend significant time in logs. Bash’s text processing tools — grep, awk, sed, sort, uniq, cut — handle most log analysis tasks without loading data into a SIEM.
Find failed SSH logins and count by source IP:
“bash grep "Failed password" /var/log/auth.log | \ awk '{print $(NF-3)}' | \ sort | uniq -c | sort -rn | head -20 `
Extract all unique IP addresses from an Apache access log:
`bash`
awk '{print $1}' /var/log/apache2/access.log | sort -u
Find all 4xx and 5xx HTTP responses with timestamps:
`bash`
awk '$9 ~ /^[45]/ {print $4, $7, $9}' /var/log/apache2/access.log
For JSON-structured logs, use jq:
`bash`
cat application.log | jq -r 'select(.level == "ERROR") | "\(.timestamp) \(.message)"'
Automation Scripts
Automate repetitive security tasks to eliminate manual errors and save time.
File integrity check using checksums:
`bash`
#!/bin/bash
BASELINE="/var/security/baseline_hashes.txt"
find /etc -type f -exec sha256sum {} \; > /tmp/current_hashes.txt
diff "$BASELINE" /tmp/current_hashes.txt | grep "^[<>]"
Certificate expiration monitor:
`bash
#!/bin/bash
DOMAINS=("example.com" "api.example.com" "admin.example.com")
WARN_DAYS=30
for domain in "${DOMAINS[@]}"; do expiry=$(echo | openssl s_client -servername "$domain" -connect "$domain:443" 2>/dev/null | \ openssl x509 -noout -enddate | cut -d= -f2) exp_epoch=$(date -d "$expiry" +%s) now_epoch=$(date +%s) days_left=$(( (exp_epoch - now_epoch) / 86400 )) if [ "$days_left" -lt "$WARN_DAYS" ]; then echo "WARNING: $domain expires in $days_left days" fi done `
Recon Scripts
During penetration tests, Bash scripts chain tools together for efficient reconnaissance:
Subdomain enumeration and live host detection:
`bash
#!/bin/bash
TARGET="$1"
Gather subdomains from multiple sources
subfinder -d "$TARGET" -silent > subs.txt
amass enum -passive -d "$TARGET" -o amass_subs.txt 2>/dev/null
cat subs.txt amass_subs.txt | sort -u > all_subs.txt
Check which are alive
httpx -l all_subs.txt -silent -o live_hosts.txt
echo "Found $(wc -l < live_hosts.txt) live hosts"
`
Port scan result processor:
`bash
#!/bin/bash
Parse nmap XML output for open ports
xmllint --xpath '//port[@protocol="tcp"]/state[@state="open"]/..' nmap_output.xml | \
grep -oP 'portid="\K[^"]+' | sort -n
`
Tool Chaining
The real power of Bash in security is piping output between tools. Feed Nmap results into Nikto, parse Burp exports with jq, or correlate firewall logs with threat intelligence feeds using comm and join.
Write your scripts with error handling. Check return codes, validate inputs, and handle missing files:
`bash`
#!/bin/bash
set -euo pipefail
if [ $# -ne 1 ]; then
echo "Usage: $0
exit 1
fi
set -e exits on errors, set -u catches undefined variables, set -o pipefail` catches failures in pipes. These three flags prevent silent failures that lead to incorrect results.
Related Career Paths
Bash scripting proficiency maps to SOC Analyst and Penetration Tester career paths. Both roles use Bash daily for log analysis, automation, and tool orchestration.
Next Steps
- Test your scripting skills with the skills assessment
- Browse the skills library for related automation and Linux topics
- Use the coaching tool to build a hands-on scripting practice plan
Related Guides in This Series
- PowerShell for Security: AD Management, Log Analysis, and Blue Team Scripts
- Problem Solving for Security: Root Cause Analysis and Debugging
- Python for Security: Tooling, Automation, and Exploit Development
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
---
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
