linux - Filter log file entries based on date range -

-

my server having unusually high cpu usage, , can see apache using way memory. have feeling, i'm being dos'd single ip - maybe can me find him?

i've used following line, find 10 "active" ips:

cat access.log | awk '{print $1}' |sort  |uniq -c |sort -n |tail

the top 5 ips have 200 times many requests server, "average" user. however, can't find out if these 5 frequent visitors, or attacking servers.

is there way, specify above search time interval, eg. last 2 hours or between 10-12 today?

cheers!

updated 23 oct 2011 - commands needed:

get entries within last x hours [here 2 hours]

awk -vdate=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` ' { if ($4 > date) print date fs $4}' access.log

get active ips within last x hours [here 2 hours]

awk -vdate=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` ' { if ($4 > date) print $1}' access.log | sort  |uniq -c |sort -n | tail

get entries within relative timespan

awk -vdate=`date -d'now-4 hours' +[%d/%b/%y:%h:%m:%s` -vdate2=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` ' { if ($4 > date && $4 < date2) print date fs date2 fs $4}' access.log

get entries within absolute timespan

awk -vdate=`date -d '13:20' +[%d/%b/%y:%h:%m:%s` -vdate2=`date -d'13:30' +[%d/%b/%y:%h:%m:%s` ' { if ($4 > date && $4 < date2) print $0}' access.log

get active ips within absolute timespan

awk -vdate=`date -d '13:20' +[%d/%b/%y:%h:%m:%s` -vdate2=`date -d'13:30' +[%d/%b/%y:%h:%m:%s` ' { if ($4 > date && $4 < date2) print $1}' access.log | sort  |uniq -c |sort -n | tail

yes, there multiple ways this. here how go this. starters, no need pipe output of cat, open log file awk. 

awk -vdate=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` '$4 > date {print date, $0}' access_log

assuming log looks mine (they're configurable) date stored in field 4. , bracketed. doing above finding within last 2 hours. note -d'now-2 hours' or translated literally minus 2 hours me looks this: [10/oct/2011:08:55:23

so doing storing formatted value of 2 hours ago , comparing against field four. conditional expression should straight forward.i printing date, followed output field separator (ofs -- or space in case) followed whole line $0. use previous expression , print $1 (the ip addresses) 

awk -vdate=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` '$4 > date {print $1}' | sort  |uniq -c |sort -n | tail

if wanted use range specify 2 date variables , construct expression appropriately.

so if wanted find between 2-4hrs ago expression might looks this

awk -vdate=`date -d'now-4 hours' +[%d/%b/%y:%h:%m:%s` -vdate2=`date -d'now-2 hours' +[%d/%b/%y:%h:%m:%s` '$4 > date && $4 < date2 {print date, date2, $4} access_log'

here question answered regarding dates in bash might find helpful. print date monday of current week (in bash)


Comments

Post a Comment

Popular posts from this blog

objective c - Change font of selected text in UITextView -

-
can suggest me how change font of selected text in uitextview.i cannot use uiwebview since have edit text. have seen pages app.how possible in app. see formatting text within uilabel differently . since need editing, should @ javascript-based editors such ckeditor or tinymce . highly recommend wwdc 2011 video session 511: "rich text editing in safari on ios."
Read more

php - Accessing POST data in Facebook cavas app -

-
so i've got simple form in canvas / iframe facebook app, , i'm trying pass along values post. reading on s.o. , fb's latest docs, understand it, data send via post form can accessed on receiving end $_request object. i read on thread on s.o. in order post forms work need pass along input named "signed_request" value current signed_request (i have signed request working ok otherwise...all login , authentication stuff working fine). isnt mentioned anywhere in official fb docs. so problem comes in $_request object signed request, , bunch of other session stuff. form inputs found. the way can read them set method of form "request" isn't real form method. takes of inputs , sends them args in url. horrible. here's sample page canvas app form i'm using try debug (leaving out authentication stuff): <form enctype="application/x-www-form-urlencoded" method="post" target="_top" id="my_form" action=...
Read more

c# - Getting control value when switching a view as part of a multiview -

-
i have following code in aspx page: <asp:button id="display_button" runat="server" text="display" onclick="button1_click" /> &nbsp; <asp:button id="edit_button" runat="server" text="edit" onclick="button2_click" /> &nbsp; <asp:button id="save_button" runat="server" text="save" onclick="button3_click" visible="false" /> &nbsp; <asp:multiview id="multiview1" runat="server" activeviewindex="0"> <asp:view id="view1" runat="server"> <asp:formview id="view_program" runat="server"> <itemtemplate> <%# eval("status").tostring().trim() %> </itemtemplate> </asp:formview> </asp:view> <asp:view id="view2" runat="server"> ...
Read more