access log trash

[stitch]

Hello fellow Abyss users !
My log files are so jammed up with trash from worms and viruses hoping to find my system useful that I cant see the information Im really interested in... is there a way to get the access log to ignore requests, say, for .exe files?
Im pretty new at all this so please speak s-l-o-w-l-y !
thanks for your help yeh sweet geeks :wink: !

[Anonymoose]

Abyss log file in extended mode is in Common Logfile Format

http://www.bacuslabs.com/WsvlCLF.html

You should be able to use any freeware log analyser to make some sense of it :D

http://www.webattack.com/freeware/webpublish/fwlogalyzer.shtml

Alternatively, you can use grep/find in the console to trim out the .exe entries and copy the rest into a new file to examine. Give me a shout if you'd prefer this.

[stitch]

Thanks for the links! - I've learned so much from lurking around on these forums!
I've been using Weblog Expert Lite and I recognize the worm junk from other posts here...
It takes up a lot of the top listings for files visited/downloaded and I cant get a good idea of what the real visitors are looking for at my site ~and it also really *irritates* me and I would just rather not see it at all...
So yes, please, tell me more...
Thanks again and again!

[Anonymoose]

OK!

1) Open a command prompt and navigate to the Abyss Webserver log directory.

This step is a lot easier if you grab the "Command Prompt Here" powertoy from Microsofts website as you can just right click the log directory in Explorer and choose (duh :P) "Command Prompt Here"

Otherwise,

Start -> Run -> CMD in Windows NT/2K/XP;
Start -> Run -> Command in Windows 95/98/Me.

Then type

CD "C:\Program Files\Abyss Web Server\log"

Use the full path to your logs directory in quotes.

Type

find /v "string to remove from your logfile" logfilename.log > cleanlog.txt

Replace logfilename.log with the name of your log if it's not the default. Find /v tells the find command to only find lines not containing the string, > cleanlog.txt tells it to save the results to a new file, cleanlog.txt. You can now run the log analyser on the cleanlog.txt file and you should find the string is no longer crapping up your query.

You can use | to join multiple finds, this can be used to remove multiple worm entries at once, handy since there's not just one type of worm GET request. Taking the log sample below as an example :

68.63.65.63 - - [11/Nov/2003:21:32:39 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:46 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:51 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427
68.63.65.63 - - [11/Nov/2003:21:32:52 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 427

find /v "/cmd.exe" access.log | find /v "/root.exe" > cleanlog.txt will strip all lines with /cmd.exe and /root.exe in the request from the log and save the result to cleanlog.txt

Note you only need the access.log filename after the *first* find in the query - | actually tells the next find command to search the output of the previous one.

Once you've done this manually and are satisfied with the result, you could save a batch file to do this and just add a shortcut to it from your desktop rather than typing all this each time.

Hope this makes some sense, I guess it depends how comfortable you are with DOS as to whether it will help :oops: If you need me to explain it better / differently, feel free to ask. Alternatively if you paste the bits of your log you want removing or a link to a sample copy of your log, the path to your log file etc, I'll happily put the batch file together for you.

[stitch]

OKAY,

Thanks again for taking the time to spell it all out for me... I'll mess around with it after I put the kids to bed!
One more question... I see requests for .png files... what is that?

[Anonymoose]

A graphics format, supposed to be the free/open alternative to gifs.

Are they 404's ? Can you paste an example line ?

[stitch]

mmm... I think I figured it out.... Its me... viewing the console!
hehehe :oops:


...oh and the "powered by abyss" logo on my index page that everyone else sees! THANKS APRELIUM!

[Anonymoose]

:lol:

[stitch]

Oh and here's another silly thing I did... I had my index.html file set as my default error page... so those worms ended up going around... and around... and around... just changing that so they get an ERROR and give up is making a big difference in the amount of space they take up in the logs...

Thanks again, Anonymoose for the info on cleaning up the access log file before analyzing... I want to try it with .txt files, too so I dont have to see the robots either...

feeling a *little* smarter today than yesterday! :D