Notifications
Clear all

Apache log analysis

4 Posts
3 Users
0 Reactions
1,389 Views
(@jonoha)
Active Member
Joined: 15 years ago
Posts: 7
Topic starter  

Just doing a network forensics assignment which involves analysing access.log of apache server. I was just having a look at different options for the program which i might use and i found 3 which seem alright.

SawMill
WebLog Expert
Nihuo Web Log Analyser

Opening up all the log files in all 3 of these analysers i found that they all produce different results. some similar some very different. From this then how could i make a decision on which one to use to analyse the logs for any compromisations. Looking at it also there are quite a few hits for the address "/" (the server is also running wordpress and a php customised application). with th4e users accessing the "/" ha which i now find to be http//student/ so that to me would be nothign to worry abou as i believe it is on a uni server so you would expect that.
Another one wil most hits is http//student/educom/themes/Reairie/images/.tmp/index.php –> this page ahd at least double any other hits. if it was an image i could understand it having a lot of hits but with it being an index.php page in a temp directory causes alarms. As it is peaks massivly at the start of the log file for about a week then no hits at all. So i would say something to look at, and would this be by just displaying the data with those hits and then investigate the who, when blah blah?

Thanks guys


   
Quote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

I'm a little lost as to what the actual question is here, however, moving forward, Apache logs aren't really very complex - if I were you, I'd start by reading the Apache manual section on logging, and then just looking at the logs to see if you can figure out what information is being recorded - if you had the machine image, you'd be able to find the configuration file and get an idea from this, but you just say "access.log" so I guess that's what you've been given. Whilst it's not a "forensic" program, you could do a lot worse than Webaliser. Which (a) is pretty damn accurate from experience and (b) is very configurable. Progressing from there, you could go any number of ways to get information out - either by writing some simple parsing yourself ( Perl ? ), using someone else's prewritten library ( CPAN ? ) or, and I hate to say it, even importing it into Excel using whitespace as the field delimiter - and then you can mangle it there … Even the command line would do you some favours ( a UNIX one, the windows one is useless ! ) with grep, awk and wc being able to search, parse and count respectively !

Whatever is in the log file, assuming no alteration, is a reflection of the behaviour of Apache - if the statistics seem odd then you need to (a) reassure yourself that the file hasn't been tampered with [ unlikely given the excercise & difficult to tell in any case ! ] (b) accept that it is representitive of the behaviour of the server and work from there.

You might like to try setting up your own Apache server and experimenting with PHP to see what the normal behaviour of it is, then you might be able to draw further inferences from the logs. You might get some bonus credits too !


   
ReplyQuote
(@jonoha)
Active Member
Joined: 15 years ago
Posts: 7
Topic starter  

Yeah sorry i started having a direct question but started thinking while typing and then ended up in rambling. LOL. Basically those three programs were what i used at first to open up the log but then i noticed that the reports were considerably different to each other, so then started thinking well which one is correct?
using these i ended up narrowing it down to one IP address that had 8500 hits, but all returned a server error code 400, then it seemed that the ip address was performing a dictionary attack trying to find a user account.
I will have a look at webalyser but yeah most of the analysis i did in weblog expert.

Cheers again for your help. Much appreciated


   
ReplyQuote
(@farmerdude)
Estimable Member
Joined: 20 years ago
Posts: 242
 

Have you tried Log Parser yet? It's on my short list that I always go to for parsing many log files.

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com


   
ReplyQuote
Share: