When we are decommissioning a website (or web server), I always watch the log files to ensure there aren’t a lot of people still accessing it. Sometimes there are and it’s worth tracking them down individually to clue them into the site’s eminent demise. Usually there aren’t, and it’s just a confirmation that our decommissioning efforts won’t be impactful.
This python script looks for IP addresses in the log files and outputs each IP & it’s access count per log file. Not great if you’ll see a bunch of IP addresses in the recorded URI string, but it’s good enough for 99% of our log data.
import os
import re
from collections import Counter
def parseApacheHTTPDLog(strLogFile):
regexIPAddress = r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
with open(strLogFile) as f:
objLog = f.read()
listIPAddresses = re.findall(regexIPAddress,objLog)
counterAccessByIP = Counter(listIPAddresses)
for strIP, iAccessCount in counterAccessByIP.items():
print(f"{strLogFile}\t{str(strIP)}\t{str(iAccessCount)}")
if __name__ == '__main__':
strLogDirectory = '/var/log/httpd/'
for strFileName in os.listdir(strLogDirectory):
if strFileName.__contains__("access_log"):
#if strFileName.__contains__("hostname.example.com") and strFileName.__contains__("access_log"):
parseApacheHTTPDLog(f"{strLogDirectory}{strFileName}")