nginx access 로 그 를 시간 에 따라 분할 합 니 다.

시간 별 필터 로그:
#!/bin/bash
#file log path
log_file='/var/log/nginx/access.log'

last_hour=1
# start time
start_time=`date -d "$last_hour hour ago" +"%H:%M:%S"`
# end time
end_time=`date +"%H:%M:%S"`
#Get the host ip address
host_ip=`ip addr |grep eth0|awk 'BEGIN{FS="([[:space:]]|/)+"}NR==2{print $3}'`
# output log file
filter_ip='/opt/scripts/log/hour_ip.txt'
# app name
app_name="#"

echo "$app_name: $host_ip $end_time" > $filter_ip

tac $log_file | awk -v st="$start_time" -v et="$end_time" '{t=substr($4,RSTART+14,15);
if(t>=st && t<=et) {print $0}}' \
|awk '{if($9~/404/)a[$1" "$7" "$9]++}END{for(i in a) print i,a[i]}' \
|awk '{print $4,$1,$2}'|sort -nr|head -n 10 >> $filter_ip

num=`cat $filter_ip|wc -l`

if [ $num -ge 2 ]; then
  cat $result | mail -s "$app_name: suspect_attack" [email protected]
fi

분당 필터 로그:
#/bin/bash
#    
logfile='/var/log/nginx/access.log'
log_file='/opt/scripts/log/half_ip.txt'

# app name
app_name="#"
#host ip addr
host_ip=`ip addr |grep eth0|awk 'NR==2{print $2}'|awk -F/ '{print $1}'`

#time interval
last_minutes=30

#    
start_time=`date -d "$last_minutes minutes ago" +"%H:%M:%S"`

#    
stop_time=`date +"%H:%M:%S"`

echo "$app_name: $host_ip $stop_time" > $log_file

#                ip 
tac $logfile | awk -v st="$start_time" -v et="$stop_time" '{t=substr($4,RSTART+14,21);if(t>=st && t<=et) {print $0}}' \
| awk '{print $1}' | sort | uniq -c | sort -nr |egrep -v '106.14.240.239'|awk '{if($1 > 1000){print $0}}' >> $log_file

num=`cat $log_file|wc -l`

if [ $num -ge 2 ]; then
  cat $log_file | mail -s "$app_name: suspect_attack" [email protected]
fi

좋은 웹페이지 즐겨찾기