简单的日志分析shell脚本

mac下awk不能用{IGNORECASE=1}，所以大小写要一个个写出来
shell正则匹配空格用[[:space:]]
日志格式的不对齐，会导致做更详细的筛选统计的时候很蛋疼
最关键的还是写正则和根据实际情况调整正则，降低误报

#!/bin/bash

if [ $# -ne 1 ]
then
    echo "Usage: `basename $0` logfilename"
    exit
fi
log_path=$1
normal_re="/(\.[pP][hH][pP].*[[:space:]]404[[:space:]])|(\.[jJ][sS][pP].*[[:space:]]404[[:space:]])|(\.[aA][sS][pP].*[[:space:]]404[[:space:]])|(\.[aA][sS][pP][xX].*[[:space:]]404[[:space:]])|(\.[eE][xX][eE].*[[:space:]]404[[:space:]])|(\.[rR][aA][rR].*[[:space:]]404[[:space:]])|(\.[zZ][iI][pP].*[[:space:]]404[[:space:]])|(\.[bB][aA][kK].*[[:space:]]404[[:space:]])|(\"[hH][eE][aA][dD].*[[:space:]]404[[:space:]])|(\"[pP][uU][tT].*[[:space:]]404[[:space:]])|([eE][dD][iI][tT][oO][rR]\/.*[[:space:]]404[[:space:]])/"
sql_re="/(^\?[uU][nN][iI][oO][nN].*[sS][eE][lL][eE][cC][tT])|(^\?(([aA][nN][dD])|([^.&\w][oO][rR])|([xX][oO][rR])).{1,7}=)|(^\?[sS][eE][lL][eE][cC][tT].*[fF][rR][oO][mM])/"
xss_re="/(((<)|(%3[cC]))script.{0,10}((%3[eE])|(>)))|([aA][lL][eE][rR][tT]\()/"
cmd_re="/([eE][vV][aA][lL].{0,10}\()|([sS][yY][sS][tT][eE][mM].{0,10}\()/"
echo -e "-----------$1日志分析结果------------------"
awk ${normal_re} ${log_path}
awk ${sql_re} ${log_path}
awk ${xss_re} ${log_path}
awk ${cmd_re} ${log_path}
echo -e "$1日志请求次数前10名IP"
awk '{print $1"\n"}' ${log_path}| sort | uniq -c | sort -nr -k1 | head -n 10

简单的日志分析shell脚本

FEATURED TAGS