Top 20 IPs Making Requests To Apache [on hold]












0














I'm trying to get the top 20 IPs that are making requests to my server. I've written a grep with awk and split to get the IP down to a class b range. I then try to sort it and count the number of requests but I think something is incorrect.



grep '2018-12-19' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


My log format is:



2018-12-19 15:49:27 121.57.166.207 etc....


I suspect something is wrong because I did it for the all of today (log rotation is on) and blocked the top IP ranges. I then limited it down to a minute:



grep '2018-12-19 12:05' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


and got back traffic from one of the blocked ranges..BUT.. I then re-ran my original grep for the full day and the count I get back for that range is the same as when I blocked it so it supposedly hasn't made any more requests.



First time full day:



15502 XXX.YYY


One minute interval (after blocking):



256 XXX.YYY


Second time full day:



15502 XXX.YYY


Some sample records:



2018-12-19 15:49:27 121.57.166.207 - 192.168.0.1 443 GET /page  200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36" 56994254

2018-12-19 15:50:24 42.156.138.115 - 192.168.0.1 443 GET /js/file.woff2  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 2413

2018-12-19 15:50:24 42.120.161.114 - 192.168.0.1 443 POST /api/error.php  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 1400455

2018-12-19 15:50:33 111.206.198.4 - 192.168.0.1 443 POST /etc/file.php  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 2368

2018-12-19 15:50:33 220.181.108.113 - 192.168.0.1 443 GET /test ?page=1 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 1262749

2018-12-19 15:50:36 111.206.198.18 - 192.168.0.1 443 GET /d.jpg  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 287688

2018-12-19 15:50:44 106.120.173.105 - 192.168.0.1 443 GET /page/2678 ?&language=Russian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 968756

2018-12-19 15:50:45 220.181.108.147 - 192.168.0.1 443 GET /page ?id=20 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 77875

2018-12-19 15:50:45 106.38.241.100 - 192.168.0.1 443 GET /page/562 ?language=Italian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 901742

2018-12-19 15:50:47 119.136.88.91 - 192.168.0.1 443 GET /page/logo.jpg  200 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0" 2367


I would expect the following counts to come back from these samples (row 1 is count, 2 is the class b range):



1 121.57

1 42.156

1 42.120

2 111.206

2 220.181

1 106.38

1 119.136





awk grep sort split uniq







share|improve this question















put on hold as unclear what you're asking by Rui F Ribeiro, RalfFriedl, DarkHeart, Jeff Schaller, Shadur 14 hours ago


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.











  • 2




    It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
    – Jeff Schaller
    yesterday










  • Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
    – user3783243
    yesterday
















0














I'm trying to get the top 20 IPs that are making requests to my server. I've written a grep with awk and split to get the IP down to a class b range. I then try to sort it and count the number of requests but I think something is incorrect.



grep '2018-12-19' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


My log format is:



2018-12-19 15:49:27 121.57.166.207 etc....


I suspect something is wrong because I did it for the all of today (log rotation is on) and blocked the top IP ranges. I then limited it down to a minute:



grep '2018-12-19 12:05' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


and got back traffic from one of the blocked ranges..BUT.. I then re-ran my original grep for the full day and the count I get back for that range is the same as when I blocked it so it supposedly hasn't made any more requests.



First time full day:



15502 XXX.YYY


One minute interval (after blocking):



256 XXX.YYY


Second time full day:



15502 XXX.YYY


Some sample records:



2018-12-19 15:49:27 121.57.166.207 - 192.168.0.1 443 GET /page  200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36" 56994254

2018-12-19 15:50:24 42.156.138.115 - 192.168.0.1 443 GET /js/file.woff2  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 2413

2018-12-19 15:50:24 42.120.161.114 - 192.168.0.1 443 POST /api/error.php  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 1400455

2018-12-19 15:50:33 111.206.198.4 - 192.168.0.1 443 POST /etc/file.php  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 2368

2018-12-19 15:50:33 220.181.108.113 - 192.168.0.1 443 GET /test ?page=1 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 1262749

2018-12-19 15:50:36 111.206.198.18 - 192.168.0.1 443 GET /d.jpg  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 287688

2018-12-19 15:50:44 106.120.173.105 - 192.168.0.1 443 GET /page/2678 ?&language=Russian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 968756

2018-12-19 15:50:45 220.181.108.147 - 192.168.0.1 443 GET /page ?id=20 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 77875

2018-12-19 15:50:45 106.38.241.100 - 192.168.0.1 443 GET /page/562 ?language=Italian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 901742

2018-12-19 15:50:47 119.136.88.91 - 192.168.0.1 443 GET /page/logo.jpg  200 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0" 2367


I would expect the following counts to come back from these samples (row 1 is count, 2 is the class b range):



1 121.57

1 42.156

1 42.120

2 111.206

2 220.181

1 106.38

1 119.136





awk grep sort split uniq







share|improve this question















put on hold as unclear what you're asking by Rui F Ribeiro, RalfFriedl, DarkHeart, Jeff Schaller, Shadur 14 hours ago


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.











  • 2




    It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
    – Jeff Schaller
    yesterday










  • Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
    – user3783243
    yesterday














0












0








0







I'm trying to get the top 20 IPs that are making requests to my server. I've written a grep with awk and split to get the IP down to a class b range. I then try to sort it and count the number of requests but I think something is incorrect.



grep '2018-12-19' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


My log format is:



2018-12-19 15:49:27 121.57.166.207 etc....


I suspect something is wrong because I did it for the all of today (log rotation is on) and blocked the top IP ranges. I then limited it down to a minute:



grep '2018-12-19 12:05' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


and got back traffic from one of the blocked ranges..BUT.. I then re-ran my original grep for the full day and the count I get back for that range is the same as when I blocked it so it supposedly hasn't made any more requests.



First time full day:



15502 XXX.YYY


One minute interval (after blocking):



256 XXX.YYY


Second time full day:



15502 XXX.YYY


Some sample records:



2018-12-19 15:49:27 121.57.166.207 - 192.168.0.1 443 GET /page  200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36" 56994254

2018-12-19 15:50:24 42.156.138.115 - 192.168.0.1 443 GET /js/file.woff2  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 2413

2018-12-19 15:50:24 42.120.161.114 - 192.168.0.1 443 POST /api/error.php  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 1400455

2018-12-19 15:50:33 111.206.198.4 - 192.168.0.1 443 POST /etc/file.php  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 2368

2018-12-19 15:50:33 220.181.108.113 - 192.168.0.1 443 GET /test ?page=1 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 1262749

2018-12-19 15:50:36 111.206.198.18 - 192.168.0.1 443 GET /d.jpg  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 287688

2018-12-19 15:50:44 106.120.173.105 - 192.168.0.1 443 GET /page/2678 ?&language=Russian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 968756

2018-12-19 15:50:45 220.181.108.147 - 192.168.0.1 443 GET /page ?id=20 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 77875

2018-12-19 15:50:45 106.38.241.100 - 192.168.0.1 443 GET /page/562 ?language=Italian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 901742

2018-12-19 15:50:47 119.136.88.91 - 192.168.0.1 443 GET /page/logo.jpg  200 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0" 2367


I would expect the following counts to come back from these samples (row 1 is count, 2 is the class b range):



1 121.57

1 42.156

1 42.120

2 111.206

2 220.181

1 106.38

1 119.136





awk grep sort split uniq







share|improve this question















I'm trying to get the top 20 IPs that are making requests to my server. I've written a grep with awk and split to get the IP down to a class b range. I then try to sort it and count the number of requests but I think something is incorrect.



grep '2018-12-19' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


My log format is:



2018-12-19 15:49:27 121.57.166.207 etc....


I suspect something is wrong because I did it for the all of today (log rotation is on) and blocked the top IP ranges. I then limited it down to a minute:



grep '2018-12-19 12:05' /var/log/httpd/example.com/access.log | awk '{split($3, a, "."); print a[1] "." a[2] }' | sort | uniq -c | sort --numeric | grep '::1' -v | tail -20


and got back traffic from one of the blocked ranges..BUT.. I then re-ran my original grep for the full day and the count I get back for that range is the same as when I blocked it so it supposedly hasn't made any more requests.



First time full day:



15502 XXX.YYY


One minute interval (after blocking):



256 XXX.YYY


Second time full day:



15502 XXX.YYY


Some sample records:



2018-12-19 15:49:27 121.57.166.207 - 192.168.0.1 443 GET /page  200 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36" 56994254

2018-12-19 15:50:24 42.156.138.115 - 192.168.0.1 443 GET /js/file.woff2  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 2413

2018-12-19 15:50:24 42.120.161.114 - 192.168.0.1 443 POST /api/error.php  200 "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) CriOS/56.0.2924.75 Mobile/14E5239e YisouSpider/5.0 Safari/602.1" 1400455

2018-12-19 15:50:33 111.206.198.4 - 192.168.0.1 443 POST /etc/file.php  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 2368

2018-12-19 15:50:33 220.181.108.113 - 192.168.0.1 443 GET /test ?page=1 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 1262749

2018-12-19 15:50:36 111.206.198.18 - 192.168.0.1 443 GET /d.jpg  200 "Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html)" 287688

2018-12-19 15:50:44 106.120.173.105 - 192.168.0.1 443 GET /page/2678 ?&language=Russian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 968756

2018-12-19 15:50:45 220.181.108.147 - 192.168.0.1 443 GET /page ?id=20 200 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" 77875

2018-12-19 15:50:45 106.38.241.100 - 192.168.0.1 443 GET /page/562 ?language=Italian 301 "Sogou web spider/4.0(+http://www.sogou.com/docs/help/webmasters.htm#07)" 901742

2018-12-19 15:50:47 119.136.88.91 - 192.168.0.1 443 GET /page/logo.jpg  200 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:64.0) Gecko/20100101 Firefox/64.0" 2367


I would expect the following counts to come back from these samples (row 1 is count, 2 is the class b range):



1 121.57

1 42.156

1 42.120

2 111.206

2 220.181

1 106.38

1 119.136





awk grep sort split uniq




awk grep sort split uniq






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday

























asked yesterday









user3783243

1012




1012




put on hold as unclear what you're asking by Rui F Ribeiro, RalfFriedl, DarkHeart, Jeff Schaller, Shadur 14 hours ago


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






put on hold as unclear what you're asking by Rui F Ribeiro, RalfFriedl, DarkHeart, Jeff Schaller, Shadur 14 hours ago


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 2




    It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
    – Jeff Schaller
    yesterday










  • Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
    – user3783243
    yesterday














  • 2




    It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
    – Jeff Schaller
    yesterday










  • Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
    – user3783243
    yesterday








2




2




It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
– Jeff Schaller
yesterday




It looks like you're trying to summarize one day's worth of logs? Across some sort of network range? Could you clarify the requirements and provide sample log data to test against?
– Jeff Schaller
yesterday












Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
– user3783243
yesterday




Yes, that is correct. If the first (last depending on how you read it) two octets of an IP are the same I want it to be considered the same. 192.168.0.1 and 192.168.0.2 should count as 2 requests for 192.168. 192.167.0.1 should count as 1 request for 192.167. Adding sample records now.
– user3783243
yesterday















active

oldest

votes






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes

-

Popular posts from this blog

Entries order in /etc/network/interfaces

Image
4 I have a device with two interfaces, eth0 and eth1. One should get its IP from a DHCP server and the other should get its IP statically. If my /etc/network/interfaces file is configured as follows: auto lo iface lo inet loopback auto eth1 iface eth1 inet dhcp iface eth1 inet6 auto auto eth0 iface eth0 inet static address 10.10.10.10 netmask 255.255.255.0 Everything works great, eth1 gets its IP from the DHCP server, eth0 sets its IP statically from the information given, but if I try to change the order in the file, such as auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 10.10.10.10 netmask 255.255.255.0 auto eth1 iface eth1 inet dhcp iface eth1 inet6 auto In this case, eth1 fails to get an IP. Does the /etc/network/interface care about th...
Read more

新発田市

Image
しばたし 新発田市 市のシンボル・新発田城(二の丸隅櫓) 新発田市旗 1934年7月9日制定 新発田市章 1934年7月9日制定 国 日本 地方 中部地方、北陸地方 甲信越地方、信越地方 都道府県 新潟県 団体コード 15206-4 法人番号 5000020152064 面積 533.10 km 2 総人口 96,267 人 [編集] (推計人口、2018年10月1日) 人口密度 181 人/km 2 隣接自治体 新潟市、阿賀野市、胎内市、北蒲原郡聖籠町、東蒲原郡阿賀町 福島県喜多方市 山形県西置賜郡小国町 市の木 サクラ 市の花 アヤメ 市のシンボル 新発田城 新発田市役所 市長 [編集] 二階堂馨 所在地 〒 957-8686 新潟県新発田市中央町3丁目3番3号 北緯37度56分52.5秒東経139度19分38.2秒 外部リンク 公式ウェブサイト ■ ― 政令指定都市 / ■ ― 市 / ■ ― 町 / ■ ― 村 地理院地図 Google Bing GeoHack MapFan Mapion Yahoo! NAVITIME ゼンリン   表示   ウィキプロジェクト 新発田市中心部周辺の空中写真。 1975年撮影の8枚を合成作成。国土交通省 国土画像情報(カラー空中写真)を基に作成。 新発田市 (しばたし)は、新潟県下越地方にある市である。新潟市への通勤率は16.6%(平成22年国勢調査)。 目次 1 概要 2 地理 2.1 隣接している自治体・行政区 3 地域・市街地構成 4 歴史 4.1 市名の由来 4.2 沿革 5 人口 6 行政 6.1 市長 7 経済 7.1 産業 7.1.1 市内の主な企業 7.1.2 漁業 8 姉妹都市・提携都市 8.1 国内 8.2 海外 9 施設・...
Read more

Grub takes very long (several minutes) to open Menu (in Multi-Boot-System)

Image
0 I have a Multi-Boot-System with 4 different installations of Linux. (1 Manjaro, 3 Mint) spread over 2 hard drives (2 on each). After doing grub-install /dev/sdX and update-grub several times within each installation ... the Grub-menu needs more and more time to open. It started with a few more seconds, now it takes several minutes. I tried to purge and reinstall Grub but this made the problem even worse: apt-get purge grub grub-pc grub-common apt-get install grub-common grub-pc os-prober update-grub What could be causing this problem? linux grub2 multiboot share | improve this question edited 4 mins ago ...
Read more