Forum Discussion

CM's avatar
CM
Icon for Bronze II rankBronze II
17 days ago

Web Log Analysis: Ep.5 – Searching Web Server Logs using Linux CLI

In the access logs, how many requests were successful and resulted in a 200 HTTP status code from the identified IP address?
I've tried the following solutions which are not correct. What obvious thing am I missing?
I assume GET HEAD OPTION are all valid request in the context of the above question, there is at least one log line which relates to X11 and not the vuln scanner found in the previous question.

linux@web-log-analysis:~/Log-Files$ grep -E '193.37.225.202' access.log* | grep -E 'HTTP/1\.1\" 200' | sort | wc -l
235
linux@web-log-analysis:~/Log-Files$ grep -E '193.37.225.202' access.log* | grep -i GET | grep -E 'HTTP/1\.1\" 200' | sort | wc -l
221

  • Hi CM,

    It looks like you're close, but there are a couple of things to simplify and focus on.

    First, consider the most straightforward way to search for the IP and the HTTP status code. You don't need to filter by the request method (like GET or HEAD) unless specified, as the question only asks for the status code and IP address.

    Secondly, think about whether you need to escape characters like the HTTP/1.1. Sometimes, a simpler search pattern can achieve the same result without extra complexity.

    Take a step back and try to focus on filtering for just the IP address and the 200 status code directly in the log.

  • Hi CM,

    It looks like you're close, but there are a couple of things to simplify and focus on.

    First, consider the most straightforward way to search for the IP and the HTTP status code. You don't need to filter by the request method (like GET or HEAD) unless specified, as the question only asks for the status code and IP address.

    Secondly, think about whether you need to escape characters like the HTTP/1.1. Sometimes, a simpler search pattern can achieve the same result without extra complexity.

    Take a step back and try to focus on filtering for just the IP address and the 200 status code directly in the log.

  • So, I just used a simple one-liner to count all different status codes. The following will give you a count of each status code across all the log files - obviously, you just need the figure for 200:

    grep 193.37.225.202 acc* | awk '{print $9}' | sort | uniq -c

    • CM's avatar
      CM
      Icon for Bronze II rankBronze II

      Bonus points for invoking awk 👍 less is more

      • autom8on's avatar
        autom8on
        Icon for Bronze III rankBronze III

        Yeah - spot the old person. 😜 I always prefer using it to cut (which seems to be the way most people I know do things when mangling data out of log files). 

        But, no - less is less (and the right one to use wherever possible) and more is more (but only to be used on boxes that don't have less installed on them)! 🤪