{"id":8781,"date":"2022-03-16T10:45:33","date_gmt":"2022-03-16T15:45:33","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=8781"},"modified":"2022-03-16T10:45:34","modified_gmt":"2022-03-16T15:45:34","slug":"apache-httpd-log-file-analysis-hits-by-ip-address","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=8781","title":{"rendered":"Apache HTTPD Log File Analysis — Hits by IP Address"},"content":{"rendered":"\n

When we are decommissioning a website (or web server), I always watch the log files to ensure there aren’t a lot of people still accessing it. Sometimes there are<\/em> and it’s worth tracking them down individually to clue them into the site’s eminent demise. Usually there aren’t, and it’s just a confirmation that our decommissioning efforts won’t be impactful. <\/p>\n\n\n\n

This python script looks for IP addresses in the log files and outputs each IP & it’s access count per log file. Not great if you’ll see a bunch of IP addresses in the recorded URI string, but it’s good enough for 99% of our log data. <\/p>\n\n\n

\nimport os\nimport re\nfrom collections import Counter\n\ndef parseApacheHTTPDLog(strLogFile):\n    regexIPAddress = r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}'\n\n    with open(strLogFile) as f:\n        objLog = f.read()\n        listIPAddresses = re.findall(regexIPAddress,objLog)\n        counterAccessByIP = Counter(listIPAddresses)\n        for strIP, iAccessCount in counterAccessByIP.items():\n            print(f"{strLogFile}\\t{str(strIP)}\\t{str(iAccessCount)}")\n\nif __name__ == '__main__':\n    strLogDirectory = '\/var\/log\/httpd\/'\n    for strFileName in os.listdir(strLogDirectory):\n        if strFileName.__contains__("access_log"):\n        #if strFileName.__contains__("hostname.example.com") and strFileName.__contains__("access_log"):\n            parseApacheHTTPDLog(f"{strLogDirectory}{strFileName}")\n\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
When we are decommissioning a website (or web server), I always watch the log files to ensure there aren’t a lot of people still accessing it. Sometimes there are and it’s worth tracking them down individually to clue them into the site’s eminent demise. Usually there aren’t, and it’s just a confirmation that our decommissioning …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[1122,352,664],"class_list":["post-8781","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-apache-httpd","tag-httpd","tag-python"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8781","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8781"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8781\/revisions"}],"predecessor-version":[{"id":8782,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/8781\/revisions\/8782"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}