Just doing a network forensics assignment which involves analysing access.log of apache server. I was just having a look at different options for the program which i might use and i found 3 which seem alright.
SawMill
WebLog Expert
Nihuo Web Log Analyser
Opening up all the log files in all 3 of these analysers i found that they all produce different results. some similar some very different. From this then how could i make a decision on which one to use to analyse the logs for any compromisations. Looking at it also there are quite a few hits for the address "/" (the server is also running wordpress and a php customised application). with th4e users accessing the "/" ha which i now find to be http//student/ so that to me would be nothign to worry abou as i believe it is on a uni server so you would expect that.
Another one wil most hits is http//student/educom/themes/Reairie/images/.tmp/index.php –> this page ahd at least double any other hits. if it was an image i could understand it having a lot of hits but with it being an index.php page in a temp directory causes alarms. As it is peaks massivly at the start of the log file for about a week then no hits at all. So i would say something to look at, and would this be by just displaying the data with those hits and then investigate the who, when blah blah?
Thanks guys
I'm a little lost as to what the actual question is here, however, moving forward, Apache logs aren't really very complex - if I were you, I'd start by reading the Apache manual section on logging, and then just looking at the logs to see if you can figure out what information is being recorded - if you had the machine image, you'd be able to find the configuration file and get an idea from this, but you just say "access.log" so I guess that's what you've been given. Whilst it's not a "forensic" program, you could do a lot worse than
Whatever is in the log file, assuming no alteration, is a reflection of the behaviour of Apache - if the statistics seem odd then you need to (a) reassure yourself that the file hasn't been tampered with [ unlikely given the excercise & difficult to tell in any case ! ] (b) accept that it is representitive of the behaviour of the server and work from there.
You might like to try setting up your own Apache server and experimenting with PHP to see what the normal behaviour of it is, then you might be able to draw further inferences from the logs. You might get some bonus credits too !
Yeah sorry i started having a direct question but started thinking while typing and then ended up in rambling. LOL. Basically those three programs were what i used at first to open up the log but then i noticed that the reports were considerably different to each other, so then started thinking well which one is correct?
using these i ended up narrowing it down to one IP address that had 8500 hits, but all returned a server error code 400, then it seemed that the ip address was performing a dictionary attack trying to find a user account.
I will have a look at webalyser but yeah most of the analysis i did in weblog expert.
Cheers again for your help. Much appreciated
Have you tried Log Parser yet? It's on my short list that I always go to for parsing many log files.
Cheers!
farmerdude