按小時過濾日誌:nginx
#!/bin/bash #file log path log_file='/var/log/nginx/access.log' last_hour=1 # start time start_time=`date -d "$last_hour hour ago" +"%H:%M:%S"` # end time end_time=`date +"%H:%M:%S"` #Get the host ip address host_ip=`ip addr |grep eth0|awk 'BEGIN{FS="([[:space:]]|/)+"}NR==2{print $3}'` # output log file filter_ip='/opt/scripts/log/hour_ip.txt' # app name app_name="#" echo "$app_name: $host_ip $end_time" > $filter_ip tac $log_file | awk -v st="$start_time" -v et="$end_time" '{t=substr($4,RSTART+14,15); if(t>=st && t<=et) {print $0}}' \ |awk '{if($9~/404/)a[$1" "$7" "$9]++}END{for(i in a) print i,a[i]}' \ |awk '{print $4,$1,$2}'|sort -nr|head -n 10 >> $filter_ip num=`cat $filter_ip|wc -l` if [ $num -ge 2 ]; then cat $result | mail -s "$app_name: suspect_attack" test@163.com fi
按分鐘過濾日誌:bash
#/bin/bash #日誌文件 logfile='/var/log/nginx/access.log' log_file='/opt/scripts/log/half_ip.txt' # app name app_name="#" #host ip addr host_ip=`ip addr |grep eth0|awk 'NR==2{print $2}'|awk -F/ '{print $1}'` #time interval last_minutes=30 #開始時間 start_time=`date -d "$last_minutes minutes ago" +"%H:%M:%S"` #結束時間 stop_time=`date +"%H:%M:%S"` echo "$app_name: $host_ip $stop_time" > $log_file #過濾出單位之間內的日誌並統計最高ip數 tac $logfile | awk -v st="$start_time" -v et="$stop_time" '{t=substr($4,RSTART+14,21);if(t>=st && t<=et) {print $0}}' \ | awk '{print $1}' | sort | uniq -c | sort -nr |egrep -v '106.14.240.239'|awk '{if($1 > 1000){print $0}}' >> $log_file num=`cat $log_file|wc -l` if [ $num -ge 2 ]; then cat $log_file | mail -s "$app_name: suspect_attack" test@163.com fi