Apache Logs / Grep Command Help Needed

Question

I need to be able to see all requests made by an IP in a given day.

I'm not familiar with grep and was wondering if anyone could give me a hand.

score 1 · Answer 1 · answered Dec 15 '09 at 23:49

1

Assuming that your log is at /var/log/apache2/access.log and assuming that your Apache logs are in common or combined format:

$ grep "^w\.x\.y\.z" /var/log/apache2/access.log

e.g. to search for 127.0.0.1

$ grep "^127\.0\.0\.1" /var/log/apache2/access.log

answered Dec 15 '09 at 23:49

Philip Reynolds

9,799
1
34
33

Thank you. Is there anyway I can limit the search results to an specific day? – Dec 15 '09 at 23:58
Something like: `grep "^127\.0\.0\.1.* \[15\/Dec\/2009" /var/log/apache2/access.log` – Dennis Williamson Dec 16 '09 at 06:49

score 1 · Accepted Answer · answered Dec 16 '09 at 00:52

Is there anyway I can limit the search results to an specific day?

I like awk for a question like this; you can match multiple fields in a single command. If we assume you're using a standard Apache log format, field 1 is the IP address and field 5 is the date of the access:

$ awk '$1 ~ /8\.8\.8\.8/ && $4 ~ /15\/Dec\/2009/ { print }' /var/log/apache2/access.log

awk processes each line in a file and splits it on whitespace into variables named $1, $2, and so on. You can match them with the $2 ~ /REGEX/ syntax, and you can match on multiple fields.

Apache stores the date in the ridiculous DD/Mon/YYYY format, so you need to escape the / character, which makes matching dates a little unwieldy.

A solitary { print } will print the whole line (awk also knows this as $0). If you only want to emit specific fields, you can add those to the print statement. If you only wanted to print the requested URI, you would do:

$ awk '$1 ~ /8\.8\.8\.8/ && $4 ~ /15\/Dec\/2009/ { print $7 }' /var/log/apache2/access.log

Since the request URI is field 7 in the log.

score 0 · Answer 3 · answered Jan 31 '17 at 17:40

As a alternative to the above answers, without the "complexity" (for some) of regex.

I first check (tail) the log file for the date format, like so:

tail filename
127.0.0.1 - - [31/Jan/2017:18:33:08 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:09 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:12 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:13 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:14 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:15 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:16 +0100] "OPTIONS * HTTP/1.0" 200 155
127.0.0.1 - - [31/Jan/2017:18:33:17 +0100] "OPTIONS * HTTP/1.0" 200 155

then i simple copy/paste the date as a literal string, like so:

grep "31/Jan/2017" file | grep 127.0.0.1

or, sometimes i need to narrow it down to the hour, so i just copy the hour with it:

grep "31/Jan/2017:18" file | grep 127.0.0.1

Apache Logs / Grep Command Help Needed

3 Answers3