This is an old revision of the document!

---

Investigating a 'site down' issue.

grep 24/Apr/2015:02:[3-6][0-9]:* /var/log/httpd/access_log | awk '{print "IPaddress", $1,"Time",$4, $9}'

This will grep for: date 24/April/2015 02:30 - 02:60
E.g:

IPaddress x.x.x.x Time 24/Apr/2015:02:36:01 200
IPaddress x.x.x.x Time 24/Apr/2015:02:36:11 200
IPaddress x.x.x.x Time 24/Apr/2015:02:36:11 200
IPaddress x.x.x.x Time 24/Apr/2015:02:36:12 200

The following can summaries all of the IP addresses hitting the access logs during a certain date/time

grep "12/Jun/2015:12" access_log | awk {'print $1'} | sort | uniq -c | sort -n | tail -n 20

E.g:

    492 x.x.x.1
    497 x.x.x.15
    501 x.x.x.158
    504 x.x.x.19
    517 x.x.x.201
    518 x.x.x.122

See what a specific IP address is doing (access logs) during a specific date/time

grep "12/Jun/2015:12" access_log | grep x.x.x.11 | tail -n 20

x.x.x.11 - - [12/Jun/2015:12:43:05 +0500] "POST /newsite/stats/recording.php HTTP/1.1" 200 407 "-" "-"
x.x.x.11 - - [12/Jun/2015:12:42:50 +0500] "POST /newsite/api2/index.php HTTP/1.1" 200 1238 "-" "Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 REQUESTED FROM: http://www.example.com/profolio/index.php?tabs=2&section=add_property REF: http://www.example.com/profolio/index.php?tabs=2&section=add_property API KEY:
x.x.x.11 - - [12/Jun/2015:12:43:05 +0500] "POST /newsite/api/index.php HTTP/1.1" 200 3697 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB5"
x.x.x.11 - - [12/Jun/2015:12:43:06 +0500] "POST /newsite/api2/index.php HTTP/1.1" 200 766 "-" "Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 REQUESTED FROM: http://www.example.com/profolio/includes/add_property_single.php? REF: http://www.example.com/profolio

Following shows what IPs connected to the server during a time period, this can be used to see if the server was down at the time listed.

grep "16/Jun/2015:08:[0-2][0-9]:*" /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr