Prompt

Analyze an nginx access log and answer questions about what happened.

access.log13.1KB

Tutorial Video

Walk-Through

This challenge involves analyzing an nginx access log. The questions can be solved through manual inspection of the file and by using basic Linux commands to parse the log.

Looking through the first few lines of the log, it is apparent that the IP addresses are the first field in each line:

To answer the first question, the IPs need to be extracted, sorted to filter for only unique ones, and counted. This can be done with cut, sort, uniq and wc :

For a more thorough explanation of these commands, refer to the Walkthrough for Log Analysis Challenge Login.

Extracting data from a column in a log file:

Looking at the first screenshot, the HTTP return codes are in the fourth field from the last:

The field right before it is enclosed in double quotes, so " can be used as a delimiter with cut. The first field before the " will contain data from the IP address to the timestamp. The second field, starting with GET, is the actual HTTP request. Therefore, the return codes will be the third field when a double quote is used as the delimiter.

💡

*Note: you only need to use one "between two single quotes in the cut command.

A portion of the output of cat access.log | cut -d '"' -f3 is shown here :

To eliminate the second column from this output, the output can be piped through another cut command using a space as the delimiter. It looks like there is a space before the HTTP return codes as well, so the codes will be the second field after the first “space”:

Now that we are working with the HTTP return codes, we can sort and count the code occurrences:

Matching patterns with grep:

The remaining parts of this challenge require using grep , a tool that can be used to search entries for a keyword. Refer to the Linux: Basic Commands Walkthrough for more information on using grep.Using grep with the -o flag tells grep to print only the part of the line that matches the pattern, instead of the entire line.

To answer the questions about the HTTP methods used (here is a resource to learn more about HTTP Request methods: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods), we can approach it two ways: first, using cut to extract the field containing the HTTP request methods (enclosed in double quotes), and then filtering out the first field within it which contains the actual HTTP request method, sorting it and counting the unique values. This method should be familiar from the process we worked through before. sort -rn will list the output in reverse numeric order, so the term with the highest number of occurrences is listed at the top.

Extracting columnar data with awk

We can also use awk to get the desired output. It is a powerful text processing tool that treats any amount of whitespace as a single field separator by default, as compared to cut, which treats only a tab space as a default field separator. Therefore, for awk, the HTTP Request Method would be the 6th field from the left.

Backslash - Escape character:

The last question prompts us to look for a raw byte sequence in the log file. If grep '\41' access.log was used, the Linux shell is going to convert the byte to ASCII, and look for ‘A’ instead. To prevent the shell from interpreting the backslash as an escape character, it needs to be escaped with another backslash as follows: grep ‘\\41’ access.log. This ensures grep receives the full byte sequence and not the translated character.

The output of grep ‘\\x04’ access.log

Questions

Q1. How many different IP addresses reached the server?

cat access.log | cut -d " " -f 1 | sort | uniq | wc -l

Extract the first field (with the IP addresses), sort the IP addresses, get the unique IP addresses, and then get a line count

Q2. How many requests yielded a 200 code?

cat access.log | cut -d '"' -f 3 | cut -d ' ' -f 2 | sort | uniq -c | sort -rn

Extract the third field (with the IP addresses), sort the IP addresses, get the unique values with a count of the occurrences of each IP address, and then sort in descending numeric order

Q3. How many requests yielded a 400 code?

Same as the question above

Q4. What IP address rang at the doorbell?

cat access.log | grep "bell"

Search the log for any lines that contain “bell”

Q5. What version of the Googlebot visited the website?

cat access.log | grep "Googlebot"

Search the log for any lines that contain “Googlebot”

Q6. Which IP address attempted to exploit the Shellshock vulnerability?

Search online for details about the Shellshock vulnerability. You should be able to find that the presence of this sequence of characters () { :; }; is an indication of an attempted exploitation of this vulnerability.

cat access.log | grep '() { :; };'

Search the log for any lines that contain () { :; };

Q7. What was the most popular version of Firefox used for browsing the website?

cat access.log | egrep -o "Firefox/.*" | sort | uniq -c

Search the log for all lines that contain “Firefox” and the following characters which make up the version number, sort those values, and then get a unique count.

Q8. What is the most common HTTP method used?

cat access.log | awk -F " " '{print $6}' | sort | uniq -c | sort -rn

Extract the 6th field (with the HTTP method), sort, get the unique values with a count of the occurrences of each value, and then sort in descending numeric order.

Q9. What is the second most common HTTP method used?