I would like to find IP addresses and user agents that have made more than 10 server requests per second. Help me, please. How can I do this? Maybe with awk, grep?
Here’s a typical lines from my Access Log:
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-v-korpuse-pechki-honda-cr-v-200-pr-1019 HTTP/1.0" 200 387654 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-v-salone-honda-cr-v-2002-2006-pr-1018 HTTP/1.0" 200 387484 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-naruzhnogo-vozduha-defekt-honda-pr-12550 HTTP/1.0" 200 387484 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/klapan-otopitelya-benzin-honda-cr-v-2002-2006-797-pr-1006 HTTP/1.0" 200 387449 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/kronshtejn-radiatora-kondicionera-pravyj-honda-cr-pr-1008 HTTP/1.0" 200 387996 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/provodka-pechki-honda-cr-v-2-2002-2006-pr-12228 HTTP/1.0" 200 386676 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-v-korpuse-pechki-honda-cr-v-200-pr-1019 HTTP/1.0" 200 387654 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-v-salone-honda-cr-v-2002-2006-pr-1018 HTTP/1.0" 200 387484 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/datchik-temperatury-naruzhnogo-vozduha-defekt-honda-pr-12550 HTTP/1.0" 200 387484 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/klapan-otopitelya-benzin-honda-cr-v-2002-2006-797-pr-1006 HTTP/1.0" 200 387449 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/kronshtejn-radiatora-kondicionera-pravyj-honda-cr-pr-1008 HTTP/1.0" 200 387996 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/provodka-pechki-honda-cr-v-2-2002-2006-pr-12228 HTTP/1.0" 200 386676 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:51 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/rozshiryuvalnij-klapan-kondicionera-honda-cr-v-2-2-pr-11867 HTTP/1.0" 200 387227 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:26:55 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-obogreva-i-klimata-54/servoprivod-zaslonki-pechki-pravyj1-honda-cr-v-200-pr-1001 HTTP/1.0" 200 387750 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:24:41 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-77970s9ab812m1-honda-cr-v-2-2002-2006-pr-12578 HTTP/1.0" 200 386162 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:24:45 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-77970s9ac812m1-honda-cr-v-2-2002-200-pr-12577 HTTP/1.0" 200 386159 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:24:53 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-77970scag911m1-honda-cr-v-2-2002-2006-pr-12575 HTTP/1.0" 200 386141 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:25:00 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-perednij-levyj-77940s9an810-honda-cr-pr-12557 HTTP/1.0" 200 386548 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
95.216.137.119 - - [28/Jan/2023:03:25:06 +0200] "POST /index.php?route=api/login HTTP/1.0" 200 190 "-" "-"
95.216.137.119 - - [28/Jan/2023:03:25:07 +0200] "GET /index.php?route=api/oneboxsync/getOrderValue/&token=95ghttSKDUuykyhc4fY4tcDCuAmpZxrQ&api_token= HTTP/1.0" 200 216719 "-" "-"
176.9.50.244 - - [28/Jan/2023:03:25:09 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-perednij-levyj-honda-cr-v-2002-2006-pr-992 HTTP/1.0" 200 386813 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
176.9.50.244 - - [28/Jan/2023:03:25:14 +0200] "GET /honda-1/honda-cr-v-2-2002-2006-12/sistema-bezopasnosti-52/datchik-udara-perednij-pravyj-77930s9an810-honda-cr-pr-12574 HTTP/1.0" 200 386777 "-" "Mozilla/5.0 (compatible; MegaIndex.ru/2.0; +http://megaindex.com/crawler)"
For finding info about UA’s I’m running this: (Gives me the amount of hits each unique UA has)
awk -F" '{print $6}' /www/logs/www.example.com-access.log | sort | uniq -c | sort -fr
What can I do differently to make these commands show me only IPs, from which was made , more than 10 requests per second?
If there are some IP from which was made 10 and more requests to the server, I want to find it in my log.
https://prnt.sc/1zKKp6tXx0UZ – this is 10 request per second from the same IP (176.9.50.244), so it mast be catched with the command and print to screen
In this case (corresponding to the new set of input data) the output must be like this – must be printed just one IP
176.9.50.244
When counting the number of reqs/sec, it must count all lines with the same timestamp and the same IP. Lets forget about UA, and try to focus on IP.
I use UA is for additional information only.
2
Answers
There are many ways to do this. One is below. Please mark as correct or add comment and I will address this further.
One
awkidea:Adding some variation to the input file:
For
limit=10this generates:For
limit=4this generates:For
limit=2this generates:NOTES:
176.9.50.244shows up twice; it’s not clear from OP’s description if we should only show an ip once in the final output, or once for each unique set of timestamps that match the criteriasortor add code to haveawksort the data before printing to stdout