SBM Labs

Cyber Security Collaboration Project

Analysis of event logs using awk
17 Jan 2015

Introduction.

We need analyze web-server logs and gather information about IP addresses that were used in order to get access to administration panel.

Event example.

77.247.181.162 - - [17/Feb/2015:15:06:40 +0300] "POST /administrator HTTP/1.0" 200 - "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"

How to.

$ ls -1 | grep "access-2015-01-1[0-1].log.gz" | while read line; do zcat $line; done | grep "POST /administrator" | awk '{split($4,a,"["); print substr(a[2],":",11) " " $1}' | sort | uniq -c | sort -k2r | sed '1i\ Security report:'

Result.

Eventcreate - Windows tool for custom events