Apache

Request per hour

cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

Request per hour by date

grep "23/Jan" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

Request per hour by IP

grep "XX\.XX\.XX\.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

Requests per minute

cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

Requests per minute for date

 grep "02/Nov/2017" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

Requests per minute for url

grep "[url]" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

Request per IP per minute

grep "XX.XX.XX.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

Sort uniq IP address in from Apache log

cat access.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

Sort uniq IP address in from Apache log and show IP location and Organization

Usage:

./script.sh access_ssl_log

#!/bin/bash

cat $1 | cut -f1 -d' ' | sort -n | uniq -c | sort -nr | head -20 > ip.tmp
printf "COUNT\tADDRESS\t\tLOCATION\tORG\t\t\t\t\tDESC\n\r\n\r"
while read ip
#for ip in $(cat access_ssl_log | cut -f1 -d' ' | sort -n | uniq -c | sort -nr | head)
do
        count=$(echo "$ip" | cut -f1 -d' ')
        addr=$(echo "$ip" | cut -f2 -d' ')
        whos=$(whois "$addr")
        location=$(echo "$whos" | grep -iE "^country:"  | sed 's/country\://g' | sed 's/Country\://g')
        org=$(echo "$whos" | grep -iE "^Organization:" | sed 's/Organization\://g' | cut -c 4-)
        descr=$(echo "$whos" | grep -iE "^descr:" | sed 's/descr\://g' | tr '\r\n' ' ' | tr -s " " | cut -c 2-)

        results=$(echo "$count $addr $location" | tr -s " " | sed 's/ /\t/g')

        is_server_ip=$(ip a | grep $addr | wc -l)
        if [[ $is_server_ip -gt 0  ]]
        then
                printf "\033[0;33m$results\t\t$org\t\t\t\t\t$descr\n\r\033[0m"
        else
                printf "$results\t\t$org\t\t\t\t\t$descr\n\r"
        fi
done < ip.tmp

rm -f ip.tmp

printf "\n\r\033[0;33mServer IP are printed in yellow\033[0m\n\r"
first_record=$(head -1 access_log | cut -f2 -d'[' | cut -f1 -d' ')
last_record=$(tail -1 access_log | cut -f2 -d'[' | cut -f1 -d' ')
printf "Log start from $first_record and end $last_record \n\r\n\r"

PreviousData exfiltration NextBash script collection

Last updated 4 years ago

Was this helpful?