View previous topic :: View next topic |
Author |
Message |
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Fri Nov 14, 2003 12:19 am Post subject: access log trash |
|
|
Hello fellow Abyss users !
My log files are so jammed up with trash from worms and viruses hoping to find my system useful that I cant see the information Im really interested in... is there a way to get the access log to ignore requests, say, for .exe files?
Im pretty new at all this so please speak s-l-o-w-l-y !
thanks for your help yeh sweet geeks :wink: ! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Fri Nov 14, 2003 3:57 am Post subject: web log trash |
|
|
Thanks for the links! - I've learned so much from lurking around on these forums!
I've been using Weblog Expert Lite and I recognize the worm junk from other posts here...
It takes up a lot of the top listings for files visited/downloaded and I cant get a good idea of what the real visitors are looking for at my site ~and it also really *irritates* me and I would just rather not see it at all...
So yes, please, tell me more...
Thanks again and again! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Fri Nov 14, 2003 1:08 pm Post subject: |
|
|
OK!
1) Open a command prompt and navigate to the Abyss Webserver log directory.
This step is a lot easier if you grab the "Command Prompt Here" powertoy from Microsofts website as you can just right click the log directory in Explorer and choose (duh :P) "Command Prompt Here"
Otherwise,
Start -> Run -> CMD in Windows NT/2K/XP;
Start -> Run -> Command in Windows 95/98/Me.
Then type
CD "C:\Program Files\Abyss Web Server\log"
Use the full path to your logs directory in quotes.
Type
find /v "string to remove from your logfile" logfilename.log > cleanlog.txt
Replace logfilename.log with the name of your log if it's not the default. Find /v tells the find command to only find lines not containing the string, > cleanlog.txt tells it to save the results to a new file, cleanlog.txt. You can now run the log analyser on the cleanlog.txt file and you should find the string is no longer crapping up your query.
You can use | to join multiple finds, this can be used to remove multiple worm entries at once, handy since there's not just one type of worm GET request. Taking the log sample below as an example :
68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:46 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:51 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:52 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
find /v "/cmd.exe" access.log | find /v "/root.exe" > cleanlog.txt will strip all lines with /cmd.exe and /root.exe in the request from the log and save the result to cleanlog.txt
Note you only need the access.log filename after the *first* find in the query - | actually tells the next find command to search the output of the previous one.
Once you've done this manually and are satisfied with the result, you could save a batch file to do this and just add a shortcut to it from your desktop rather than typing all this each time.
Hope this makes some sense, I guess it depends how comfortable you are with DOS as to whether it will help :oops: If you need me to explain it better / differently, feel free to ask. Alternatively if you paste the bits of your log you want removing or a link to a sample copy of your log, the path to your log file etc, I'll happily put the batch file together for you. |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Sat Nov 15, 2003 3:35 am Post subject: |
|
|
OKAY,
Thanks again for taking the time to spell it all out for me... I'll mess around with it after I put the kids to bed!
One more question... I see requests for .png files... what is that? |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Sat Nov 15, 2003 10:30 am Post subject: |
|
|
A graphics format, supposed to be the free/open alternative to gifs.
Are they 404's ? Can you paste an example line ? |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Sat Nov 15, 2003 4:11 pm Post subject: |
|
|
mmm... I think I figured it out.... Its me... viewing the console!
hehehe :oops:
...oh and the "powered by abyss" logo on my index page that everyone else sees! THANKS APRELIUM!
Last edited by stitch on Mon Nov 17, 2003 8:05 pm; edited 1 time in total |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Sat Nov 15, 2003 4:19 pm Post subject: |
|
|
:lol: |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Sat Nov 15, 2003 4:48 pm Post subject: |
|
|
Oh and here's another silly thing I did... I had my index.html file set as my default error page... so those worms ended up going around... and around... and around... just changing that so they get an ERROR and give up is making a big difference in the amount of space they take up in the logs...
Thanks again, Anonymoose for the info on cleaning up the access log file before analyzing... I want to try it with .txt files, too so I dont have to see the robots either...
feeling a *little* smarter today than yesterday! :D |
|
Back to top |
|
|
|