daknetworks.com

You are here: Blog Examine httpd access logs

Examine httpd access logs

I spend a large amount of time defending from spam attacks and sql injection attacks. I can analyze the httpd logs with the following:

grep schem ./access_log* |cut -d ' ' -f 2 |uniq -c |sort -n

  • The 'grep' command searches for the word schema as in information_schema. No real sql query searches for this. It is always an sql hacking attempt.
  • The files we are searching is 'access_log*' which means search through all the access logs that we have. For me, that is usually around 4 months of data. That is a fairly good data set.
  • The 'cut' command chunks up the data. The '-d' part tells how to chunck the data; by a space character. The '-f 2' tells what data to collect; the second item in each line.
  • The 'uniq -c' tells to count each unique item.
  • The 'sort -n' sorts them least to greatest.

Contact Dak Networks

We are not taking on new clients at this time.