Suppose the Apache log format is:
118.78.199.98–-[09/jan/2010:00:59:59 +0800] "Get/public/css/index.css http/1.1″304–" http://www.a.cn/common/ index.php "" mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6.3) "
Issue 1: Find the most visited 10 IP in Apachelog.
awk ' {print $} ' apache_log |sort |uniq-c|sort-nr|head-n 10
awk first grabs the IP from each log, such as the log format is customized, and the-F defines the separator and the print specified column;
Sort to arrange the initial order to align the same records together;
Upiq-c merges duplicate rows and records the number of repetitions.
Head for the first 10 screening;
Sort-nr the sequence of flashbacks by number.
My reference to the order is:
Show 10 most-used commands
Sed-e "s/| N/g "~/.bash_history | Cut-d '-F 1 | Sort | uniq-c | Sort-nr | Head
Question 2: Find the most visited minutes in the Apache log.
awk ' {print $} ' Access_log |cut-c 14-18|sort|uniq-c|sort-nr|head
The fourth column in which Awk is separated by a space is [09/jan/2010:00:59:59;
CUT-C extracts 14 to 18 characters
The remaining content is similar to question 1.
Issue 3: Find the most visited pages in the Apache log:
awk ' {print $11} ' Apache_log |sed ' s/^.*cn/(. * *)/'//1/g ' |sort |uniq-c|sort-rn|head
Similar to questions 1 and 2, the only special is to replace the "http://www.a.cn/common/index.php" with the one in parentheses with the SED replacement feature: "Http://www.a.cn (/common/index.php)"
Question 4: In the Apache log, find the number of times (in minutes) of the most visited (the most heavily loaded), and then see which IP accesses the most at these times?
1, view the Apache process:
PS aux | grep httpd | Grep-v grep | Wc-l
2, view TCP connections for port 80:
Netstat-tan | grep "established" | grep ": 80" | Wc-l
3, through the log to view the number of IP connections, filter repeat:
Cat Access_log | grep "19/may/2011" | awk ' {print $} ' | Sort | uniq-c | Sort-nr
4, the IP connection of the day the highest IP is doing something (the original spider):
Cat Access_log | grep "19/may/2011:00" | grep "61.135.166.230" | awk ' {print $} ' | Sort | uniq-c | Sort-nr | Head-n 10
5, the same day access page row Top 10 URL:
Cat Access_log | grep "19/may/2010:00" | awk ' {print $} ' | Sort | uniq-c | Sort-nr | Head-n 10
6, with tcpdump Sniff 80-port access to see who's the tallest
Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $. ' $ "." $ "." $} ' | Sort | uniq-c | Sort-nr
Then from the log to see what the IP is doing:
Cat Access_log | grep 220.181.38.183| awk ' {print '/t ' $} ' | Sort | uniq-c | Sort-nr | Less
7, view the number of IP connections for a time period:
grep "2006:0[7-8]" Www20110519.log | awk ' {print $} ' | Sort | uniq-c| Sort-nr | Wc-l
8, the maximum number of connections in the current Web server 20 IP addresses:
Netstat-ntu |awk ' {print $} ' |sort | uniq-c| Sort-n-R | Head-n 20
9, view the top 10 most visited IP in the log
Cat Access_log |cut-d '-F 1 |sort |uniq-c | Sort-nr | awk ' {print $} ' | Head-n |less
10, view the log more than 100 times the IP
Cat Access_log |cut-d '-F 1 |sort |uniq-c | awk ' {if ($ >) print $} ' |sort-nr |less
11, view the most recently accessed files
Cat Access_log |tail-10000|awk ' {print $} ' |sort|uniq-c|sort-nr|less
12, view pages that are accessed more than 100 times in the log
Cat Access_log | Cut-d '-F 7 | Sort |uniq-c | awk ' {if ($ >) print $} ' | Less
13, list files with a transmission time of more than 30 seconds
Cat Access_log|awk ' ($NF >) {print $} ' |sort-n|uniq-c|sort-nr|head-20
14, list the most time-consuming pages (more than 60 seconds) and the number of corresponding pages
Cat Access_log |awk ' ($NF > && $7~//.php/) {print $} ' |sort-n|uniq-c|sort-nr|head-100