cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
grep "23/Jan" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
grep "XX\.XX\.XX\.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c
cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c
grep "02/Nov/2017" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c
grep "[url]" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c
grep "XX.XX.XX.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c
cat access.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20
Usage:
./script.sh access_ssl_log
#!/bin/bash​cat $1 | cut -f1 -d' ' | sort -n | uniq -c | sort -nr | head -20 > ip.tmpprintf "COUNT\tADDRESS\t\tLOCATION\tORG\t\t\t\t\tDESC\n\r\n\r"while read ip#for ip in $(cat access_ssl_log | cut -f1 -d' ' | sort -n | uniq -c | sort -nr | head)docount=$(echo "$ip" | cut -f1 -d' ')addr=$(echo "$ip" | cut -f2 -d' ')whos=$(whois "$addr")location=$(echo "$whos" | grep -iE "^country:" | sed 's/country\://g' | sed 's/Country\://g')org=$(echo "$whos" | grep -iE "^Organization:" | sed 's/Organization\://g' | cut -c 4-)descr=$(echo "$whos" | grep -iE "^descr:" | sed 's/descr\://g' | tr '\r\n' ' ' | tr -s " " | cut -c 2-)​results=$(echo "$count $addr $location" | tr -s " " | sed 's/ /\t/g')​is_server_ip=$(ip a | grep $addr | wc -l)if [[ $is_server_ip -gt 0 ]]thenprintf "\033[0;33m$results\t\t$org\t\t\t\t\t$descr\n\r\033[0m"elseprintf "$results\t\t$org\t\t\t\t\t$descr\n\r"fidone < ip.tmp​rm -f ip.tmp​printf "\n\r\033[0;33mServer IP are printed in yellow\033[0m\n\r"first_record=$(head -1 access_log | cut -f2 -d'[' | cut -f1 -d' ')last_record=$(tail -1 access_log | cut -f2 -d'[' | cut -f1 -d' ')printf "Log start from $first_record and end $last_record \n\r\n\r"