[文本处理] 求助一个从apache的error_log里取数据的问题 [复制链接]

论坛徽章:: 0

发表于 2017-09-01 11:41 |显示全部楼层

最近给apache装了个modsecurity防火墙，然后看到apache的error_log日志里面有防火墙的数据

原始数据格式是下面这样的，好长，请问如何根据其中的标签，比如“client”是IP “tag”是标签，但是tag可能有多有少，取出来IP信息和这种tag信息存出来
这样可以导出成数据再显示出来
这里面看起来好复杂，而且最关键这个是防火墙的日志，里面本来就有一大堆乱七八糟的奇怪信息，这种问题有什么办法才能解决呢

请教一下
谢谢

[Mon Aug 28 16:31:50.891707 2017] [:error] [pid 3990:tid 140632806864640] [client 192.168.0.133:47088] [client 192.168.0.133] ModSecurity: Warning. Pattern match "(?i)([<\\xef\\xbc\\x9c]script[^>\\xef\\xbc\\x9e]*[>\\xef\\xbc\\x9e][\\\\s\\\\S]*?)" at ARGS:id. [file "/data/modsecurity.d/owasp-modsecurity-crs-3.0.0/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "91"] [id "941110"] [rev "2"] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:id: <script>alert(1)</script>"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "4"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "1.abc.com"] [uri "/"] [unique_id "WaPU9n8AAAEAAA@Wcq4AAACO"]

[Mon Aug 28 16:32:11.077198 2017] [:error] [pid 3988:tid 140632848824064] [client 192.168.0.133:47094] [client 192.168.0.133] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/data/modsecurity.d/owasp-modsecurity-crs-3.0.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "test.abc.com"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "2.abc.com"] [uri "/<script>alert(1)</script>.html"] [unique_id "WaPVC38AAAEAAA@UZuwAAAAK"]

文库|博客

关阴月飞

大富大贵

论坛徽章:: 39

发表于 2017-09-01 12:39 |显示全部楼层

是这意思吗？

[root@DC ~]# grep -Po '\[tag[^\]]+|\[client[^\]]+' urfile
[client 192.168.0.133:47088
[client 192.168.0.133
[tag "application-multi"
[tag "language-multi"
[tag "platform-multi"
[tag "attack-xss"
[tag "OWASP_CRS/WEB_ATTACK/XSS"
[tag "WASCTC/WASC-8"
[tag "WASCTC/WASC-22"
[tag "OWASP_TOP_10/A3"
[tag "OWASP_AppSensor/IE1"
[tag "CAPEC-242"
[client 192.168.0.133:47094
[client 192.168.0.133
[tag "application-multi"
[tag "language-multi"
[tag "platform-multi"
[tag "attack-protocol"
[tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"
[tag "WASCTC/WASC-21"
[tag "OWASP_TOP_10/A7"
[tag "PCI/6.5.10"

复制代码

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

本友会机友会摄友会本友会机友会摄友会当前离线禁止发言好友博客消息论坛徽章: 0	发表于 2017-09-01 12:56 \|显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
	实战分享：从技术角度谈机器学习入门\| 【大话IT】RadonDB低门槛向MySQL集群下战书 \| ChinaUnix打赏功能已上线！ \| 新一代分布式关系型数据库RadonDB知多少？

wh7211

版主

论坛徽章:: 25

发表于 2017-09-05 17:00 |显示全部楼层

回复 1# 大队人马

grep -Po '\[\Kclient[^]]+|\[\Ktag[^]]+' file

复制代码

输出如下内容：
client 192.168.0.133:47088
client 192.168.0.133
tag "application-multi"
tag "language-multi"
tag "platform-multi"
tag "attack-xss"
tag "OWASP_CRS/WEB_ATTACK/XSS"
tag "WASCTC/WASC-8"
tag "WASCTC/WASC-22"
tag "OWASP_TOP_10/A3"
tag "OWASP_AppSensor/IE1"
tag "CAPEC-242"
client 192.168.0.133:47094
client 192.168.0.133
tag "application-multi"
tag "language-multi"
tag "platform-multi"
tag "attack-protocol"
tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"
tag "WASCTC/WASC-21"
tag "OWASP_TOP_10/A7"
tag "PCI/6.5.10"

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

返回列表

Chinaunix › 论坛 › 程序设计 › Shell › 求助一个从apache的error_log里取数据的问题