Handy Apache log file analyser - Scalp

Written by Peter Davies on .

Needed to examine a series of apache log files for suspicious activity from a group of IP address and came across this:

wget http://apache-scalp.googlecode.com/files/scalp-0.4.py
wget --no-check-certificate https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml

Set the permissions:

chmod 755 scalp-0.4.py

Run the command:

./scalp-0.4.py -l /var/log/access_log -f ./default_filter.xml -o ./scalp-output --text

In on my first run I needed to comment out rule 45 and 73 from the default_filter.xml due to some compile issues. You can then filter the data:

cat scalp-output/access_log.2_scalp_Mon-10-Jun-2013.txt | grep -v "com_search" | less