# Apache Log 분석
# 로그 샘플 : 컬럼(열) 구분 단위 > 공백
- 명칭(컬럼 번호) : 컬럼 번호는 Apache 로그 생성 패턴에 따라 다를 수 있음
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
IP(1) -(2) -(3) [년월일시분초(4) +0900](5) "POST(6) /*(7) HTTP(8) 200(9) 사이즈(10)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
216.152.252.91(1) -(2) -(3) [01/Apr/2013:00:03:15(4) +0900](5) "GET(6) /863(7) HTTP/1.1"(8) 200(9) 35747(10) "http:///" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
173.199.120.19 - - [01/Apr/2013:00:04:05 +0900] "GET /tag/661 HTTP/1.1" 200 39781 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)"
96.47.224.50 - - [01/Apr/2013:00:50:14 +0900] "GET /category/8%3Fpage%3D4 HTTP/1.1" 200 131473 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"
96.47.224.50 - - [01/Apr/2013:00:50:16 +0900] "POST /comment/add/860 HTTP/1.1" 200 149 "http:///category/8%3Fpage%3D4" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"
IP(1) -(2) -(3) [년월일시분초(4) +0900](5) "POST(6) /*(7) HTTP(8) 200(9) 사이즈(10)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
216.152.252.91(1) -(2) -(3) [01/Apr/2013:00:03:15(4) +0900](5) "GET(6) /863(7) HTTP/1.1"(8) 200(9) 35747(10) "http:///" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
173.199.120.19 - - [01/Apr/2013:00:04:05 +0900] "GET /tag/661 HTTP/1.1" 200 39781 "-" "Mozilla/5.0 (compatible; AhrefsBot/4.0; +http://ahrefs.com/robot/)"
96.47.224.50 - - [01/Apr/2013:00:50:14 +0900] "GET /category/8%3Fpage%3D4 HTTP/1.1" 200 131473 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"
96.47.224.50 - - [01/Apr/2013:00:50:16 +0900] "POST /comment/add/860 HTTP/1.1" 200 149 "http:///category/8%3Fpage%3D4" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5"
# 로그파일 시간 범위 출력
1) 로그시간($4)이 [01/Apr/2013:14:10 보다 크고 01/Apr/2013:15:10 보다 작은 시간동안의, 전체 값 출력
[master@local logs]$ awk '$4>"[01/Apr/2013:14:10" && $4<"[01/Apr/2013:15:10"' access.20130401 | more
115.178.65.59 - - [01/Apr/2013:14:10:19 +0900] "GET /839 HTTP/1.1" 200 34884 "http://server.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Ch
rome/25.0.1364.172 Safari/537.22"
66.249.74.207 - - [01/Apr/2013:14:10:21 +0900] "GET /839 HTTP/1.1" 200 34801 "-" "Mediapartners-Go
ogle"
93.182.134.162 - - [01/Apr/2013:14:11:00 +0900] "GET /593 HTTP/1.1" 200 31533 "http://server.com/" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
219.253.136.194 - - [01/Apr/2013:14:11:03 +0900] "GET /844 HTTP/1.1" 200 31889 "http://search.nave
r.com/search.naver?where=nexearch&query=CHR%2810%29&sm=top_hty&fbm=1&ie=utf8" "Mozilla/4.0 (compat
ible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET4.0C; .NET4.0E)"
115.178.65.59 - - [01/Apr/2013:14:10:19 +0900] "GET /839 HTTP/1.1" 200 34884 "http://server.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Ch
rome/25.0.1364.172 Safari/537.22"
66.249.74.207 - - [01/Apr/2013:14:10:21 +0900] "GET /839 HTTP/1.1" 200 34801 "-" "Mediapartners-Go
ogle"
93.182.134.162 - - [01/Apr/2013:14:11:00 +0900] "GET /593 HTTP/1.1" 200 31533 "http://server.com/" "Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1"
219.253.136.194 - - [01/Apr/2013:14:11:03 +0900] "GET /844 HTTP/1.1" 200 31889 "http://search.nave
r.com/search.naver?where=nexearch&query=CHR%2810%29&sm=top_hty&fbm=1&ie=utf8" "Mozilla/4.0 (compat
ible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET4.0C; .NET4.0E)"
2) 로그시간($4)이 [01/Apr/2013:14:10 보다 크고 01/Apr/2013:15:10 보다 작은 시간동안의,
[IP 중복 건수, IP] 내림차순 출력
[master@local logs]$ awk
'$4>"[01/Apr/2013:14:10" && $4<"[01/Apr/2013:15:10"'
access.20130401 | awk '{ print $1 }' | uniq | sort | uniq -c | sort -r |
more
21 66.249.74.207
11 66.249.74.62
9 93.182.134.162
8 93.182.137.9
7 93.182.133.29
7 93.182.130.59
7 173.199.120.19
6 93.182.130.8
6 93.182.130.42
5 93.182.130.23
5 211.57.153.106
5 1.212.28.228
4 93.182.130.62
4 216.152.252.99
4 211.254.253.60
3 96.47.225.66
3 66.249.80.146
21 66.249.74.207
11 66.249.74.62
9 93.182.134.162
8 93.182.137.9
7 93.182.133.29
7 93.182.130.59
7 173.199.120.19
6 93.182.130.8
6 93.182.130.42
5 93.182.130.23
5 211.57.153.106
5 1.212.28.228
4 93.182.130.62
4 216.152.252.99
4 211.254.253.60
3 96.47.225.66
3 66.249.80.146
3) 로그시간($4)이 [01/Apr/2013:14:10 보다 크고 01/Apr/2013:15:10 보다 작은 시간동안의,
특정 아이피의 POST 접근 시도 횟수 출력
[master@local logs]$ awk
'$4>"[01/Apr/2013:00:00" && $4<"[01/Apr/2013:15:10"'
access.20130401 | awk '{if($1 == "216.152.252.99" && $6 ==
"\"POST"){ print "POST_"$1}}' | uniq -c
COUNT | 아이피
-------------------------------------------------
18 POST_216.152.252.99
COUNT | 아이피
-------------------------------------------------
18 POST_216.152.252.99
4) 로그시간($4)이 [01/Apr/2013:14:10 보다 크고 01/Apr/2013:15:10 보다 작은 시간동안의,
특정 아이피의 DOS 접근 시도 횟수 출력
[master@local logs]$ awk
'$4>"[01/Apr/2013:00:00" && $4<"[01/Apr/2013:15:10"'
access.20130401 | awk '{if($1 == "93.182.130.59"){ print "DOS_"$4,
$10}}' | egrep '[0-9]$' | uniq -c | sort -r | sed 's/\[//'
COUNT | 년월일시분초 | 페이지사이즈
-------------------------------------------------
2 DOS_01/Apr/2013:04:24:30 31616
1 DOS_01/Apr/2013:14:28:32 31616
1 DOS_01/Apr/2013:14:27:11 31616
1 DOS_01/Apr/2013:14:27:05 31616
COUNT | 년월일시분초 | 페이지사이즈
-------------------------------------------------
2 DOS_01/Apr/2013:04:24:30 31616
1 DOS_01/Apr/2013:14:28:32 31616
1 DOS_01/Apr/2013:14:27:11 31616
1 DOS_01/Apr/2013:14:27:05 31616
# Apache error 로그 분석 : 공백을 컬럼(열) 단위로
> 년월일, 요일 동일대만 가능(하루 내의 시간 범위)
awk
'$from>"[Sat Aug 17 11:34:22 2013" && $to<"[Sat Aug 24
14:06:05 2013"' from='$1 " " $2 " " $3 " " $4 " " $5' to='$1 " " $2 " "
$3 " " $4 " " $5' error_log | more
참고 : http://impactcore.blogspot.kr/2012/08/parse-apache-logs-by-date-range.html
# awk 파일 구분자 변경 저장
cat listTest.txt
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
> 파일의 내용을 구분자( [,] )로 분리 해서 구분자( :: )로 변경 출력
awk -F "\\\[[,]]" '{print $1"::"$2"::"$3"::"$4"::"$5}' listTest.txt
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
> 파일의 3($3)번째 필드값 추출
awk -F"\\\[[,]]" '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
awk -F"\\\[[,]]" '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
awk -F \\\\[[,]\\\\] '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
Sun1[,]Sun2[,]Sun3[,]Sun4[,]Sun5
> 파일의 내용을 구분자( [,] )로 분리 해서 구분자( :: )로 변경 출력
awk -F "\\\[[,]]" '{print $1"::"$2"::"$3"::"$4"::"$5}' listTest.txt
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
Sun1::Sun2::Sun3::Sun4::Sun5
> 파일의 3($3)번째 필드값 추출
awk -F"\\\[[,]]" '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
awk -F"\\\[[,]]" '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
awk -F \\\\[[,]\\\\] '{print $3}' listTest.txt
Sun3
Sun3
Sun3
Sun3
[출처 : http://develop.sunshiny.co.kr/949]
'Academy I > Tech Academy' 카테고리의 다른 글
| [SQL]계층 구조 쿼리의 이해[3회] (0) | 2015.12.10 |
|---|---|
| [SQL]계층 구조 쿼리의 이해[2회] (0) | 2015.12.10 |
| [SQL]계층 구조 쿼리의 이해[1회] (0) | 2015.12.10 |
| 타이젠(Tizen) 소스코드와 SDK, 문서 공식 공개 (0) | 2015.11.03 |
| Jar Make (0) | 2015.09.16 |
| Java Makefile (0) | 2015.09.15 |
| 한국 각 증권사별 API 현황 (0) | 2015.06.16 |
| gcc 컴파일 과정 (0) | 2015.02.09 |
