read apache2 logs
Check for bots
cat access.log | cut -d '"' -f 6 | sort | uniq | awk '$2 == "bot"'
Check for botnets
cat access.log | cut -d '"' -f 6 | sort | uniq | awk '$2 == "botnet"'
Check for boths above
cat access.log | cut -d '"' -f 6 | sort | uniq | awk '$2 ~ "bot"'
Count requests
cat access.log | grep -v "CONNECT\|HEAD\|GET\|POST" | wc -l
Print missing files
awk 'END{($9 ~ /404/)}' < /var/log/apache2/access.log | awk '{print $9": " $7}'
Report on access codes
awk '{ print $9 }' /var/log/apache2/access.log | sort | uniq -c | sort -rn
Report on missing files
awk '($9 ~ /404/)' /var/log/apache2/access.log | awk '{ print $7 }' | sort | uniq -c | sort -nr
Print the IP address
awk '{print $1}' /var/log/apache2/access.log
Print the date/time
awk '{print $4,$5}' /var/log/apache2/access.log
Print the status code
awk '{print $9}' /var/log/apache2/access.log
Print the size
awk '{print $10}' /var/log/apache2/access.log
Count requests by response code
awk '{print $9}' /var/log/apache2/access.log | sort | uniq -c | sort -rn
Find which URLs returned a status code
awk '($9 ~ /404/)' /var/log/apache2/access.log | awk '{count[$7]++}; END { for (i in count) print i, count[i] }'
Find which URLs returned a status code
awk '($9 ~ /404/)' /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -returned
Find useragents
cat access.log | cut -d '"' -f 6 | sort | uniq
Find most used user agents
awk '{print $12}' /var/log/apache2/access.log | sort | uniq -c | sort -rn
Find most used user agents
awk -F\" '{print $6}' /var/log/apache2/access.log | sort | uniq -c | sort -rn
Most requested URLs
awk -F\" '{print $2}' /var/log/apache2/access.log | awk '{print $2}' | sort | uniq -c | sort -rn
Post requests
awk -F\" '{print $2}' /var/log/apache2/access.log | sort | uniq -c | sort -rn
discard requests that appear less than 100 times.
awk -F\" '{print $2}' /var/log/apache2/access.log | sort | uniq -c | awk '$1>=100{print}' | sort -rn
Most requested URLs containing pattern
awk -F\" '($2 ~ "/api/event"){print $2}' /var/log/apache2/access.log | awk '{print $2}' | sort | uniq -c
Group most requested URLs containing pattern by hour
awk -F\" '($2 ~ "/api/event"){print $1}' /var/log/apache2/access.log
Split output with tee
tail -n 1 /var/log/apache2/access.log | tee >(wc -w) >(wc -c) >(awk '{ print $1 }')
Display surrounding lines with grep
grep -C 1 -m 1 ‘jquery’ /var/log/apache2/access.log
Show ip
awk '{ print "IP: " $1 }’ < /var/log/apache2/access.log
Show ip + Date
awk 'END{ print "IP: " $1; print "Date: " $4$5 }' < /var/log/apache2/access.log | sed 's/\[//g;s/\]//g'
B-AWK-ward output (last column)
awk 'END{print $NF}' < /var/log/apache2/access.log
AWK can print text from the last column with the $NF variable:
awk 'END{print $NF}' < /var/log/apache2/access.log
Dissect DNS and IP information
dig $(awk ‘END{ print $1 }’ /var/log/apache2/access.log)
Read archived logfiles
awk { print “IP: “ $1 }’ < <({zcat /var/log/apache2/access.log*gz & cat /var/log/apache2/access.log)}
Geolocate visitors
ip=$(dig $1 | grep -A 1 'ANSWER SECTION') | awk 'END{ print $NF }')
echo geoiplookup $ip | sed -e 's/^.*: //g'
Master regular expressions
tail -n 1 /var/log/apache2/access.log | sed 's/^.*-" "//g;s/"//g
Visitor lookup
matches=$(grep $@)
last_visit=$(echo $matches | tail -n 1)
echo "IP: $(echo $last_visit | awk '{print $1 }')"
echo "Total visits: $(echo $matches | wc -l)"
echo "User Agent: $(echo $last_visit | sed -e 's/^.*-" "//g' | tr -d '"')"
echo "Last visit: $(echo $last_visit | tr -d '[]' | awk '{ print $4$5 }')"
Last update: June 30, 2022
Created: June 18, 2022
Created: June 18, 2022