table of Contents
Apache, Nginx, IIS log analysis
、 、 Apache
1.1. Windows Server 2008 R2 platform
1.1.1. Log location and configuration
(1) After starting Apache, Apache will automatically generate two log files, these two log files are access log access.log and error log error.log.
(2) We can configure the Apache access log format in the Apache configuration file httpd.conf.
#下面两句定义不同模式下的日志记录格式
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
#下面一句定义日志文件存储位置以及采用的记录格式
CustomLog "logs/access.log" common
Explanation:
There are two main logging formats in Apache, common and combined. The common type is used to log access information by default during installation.
1.1.2. Analysis
(1) The following is a standard log record in the common record format
192.168.2.184 - - [20/Apr/2020:17:17:18 +0800] "GET /pikachu-master HTTP/1.1" 301 247
analyse as below:
| Field value | Field Name | meaning |
|---|---|---|
| 192.168.2.184 | Client IP | Access server IP |
| - | ||
| - | log-in name | The name provided when the client accesses the service verification (-in the case of anonymous) |
| [20/Apr/2020:17:17:18 +0800] | time | The time requested by the client segment ("+0800" indicates that the server's time zone is 8 hours after UTC) |
| "GET /pikachu-master HTTP/1.1" | Method + Resources + Agreement | Client request method, requested resource file, protocol adopted by client |
| 301 | Status code | 301 means the requested page has been transferred to a new URL |
| 247 | Bytes | The length of bytes sent by the server to the client |
(2) The following is a standard log record in the combined record format
192.168.2.184 - - [20/Apr/2020:17:36:18 +0800] "GET /pikachu-master/ HTTP/1.1" 200 35392 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0"
analyse as below:
| Field value | Field Name | meaning |
|---|---|---|
| ... | ... | ... |
| "-" | Reference site | The previous site visited by the user. This site provides a link to the current site. |
| "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" |
Browser identification information provided by the client browser | Browser kernel version, operating system version, browser version |
1.2. CentOS 7 platform
1.2.1. Log location
cat /var/log/httpd/access_log 查看Apache日志
1.2.2. Analysis
The following is a record
192.168.2.184 - - [11/Apr/2020:21:51:47 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0"
The observation is exactly the same as under Windows, so the analysis can refer to 1.1.2
Two, Nginx
2.1. Windows Server 2008 R2 platform
2.1.1. Log location
We can view or change the storage location of the log in the configuration file
2.1.2. Analysis
The following is a log.
192.168.33.254 - - [20/Feb/2020:22:57:27 +0800] "POST /pikachu-master/vul/burteforce/bf_form.php HTTP/1.1" 200 4899 "http://192.168.33.254/pikachu-master/vul/burteforce/bf_form.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
See 2.2 for details (same as under Linux)
2.2. CentOS 7 platform
2.2.1. Log location and configuration
#日志位置
/var/log/nginx/access.log
#nginx配置文件位置
vim /etc/nginx/nginx.conf(可能有所不一样)
#配置文件中关于日志的字段(日志格式+日志存放位置)
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
2.2.2. Analysis
The following is a Nginx log:
192.168.2.184 - - [20/Apr/2020:17:59:09 +0800] "GET /index.html HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" "-"
analysis:
| Field value | Field Name | meaning |
|---|---|---|
| 192.168.2.184 | $remote_addr | Client (user) IP address |
| - - | - $remote_user | The user name of the client, anonymous access is- |
| [20/Apr/2020:17:59:09 +0800] | [$time_local] | interview time |
| "GET /index.html HTTP/1.1" | "$request" | Request method and requested resource URI address |
| 200 | $status | Status code (200 OK) |
| 612 | $body_bytes_sent | Requested page size |
| "-" | "$http_referer" | Source page, that is, from which page to go to this page |
| "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" |
"$http_user_agent" | Browser information, operating system information |
| "-" | "$http_x_forwarded_for" | Obtain the real IP, if not, it will be displayed as- |
3.2.3. Custom logging fields
If the information we want to obtain is not recorded, for example: the processing time of the server, etc. Then we can add the following content in the configuration file to obtain the information we want.
$request_time
#记录请求处理时间(以秒为单位,携带毫秒的解决方案),从读取客户端第一个字节开始算起,到发送最后一个字节给客户端的时间间隔
$upstream_response_time
#记录nginx从后端服务器(upstream server)获取响应的时间(以秒为单位,携带毫秒的解决方案),多个请求的时间以逗号分隔
$request_length
#记录请求长度(包括请求行,请求头,请求体)
$bytes_sent
#发送给客户端的字节数,不同于$body_bytes_sent(发送给客户端的响应体字节数)
Three, IIS
3.1. Location of IIS 7 log records (Windows Server 2008 R2)
In addition, we can set the fields to be recorded in the log through the Internet Information Service (IIS) manager:
3.2. Analysis
A complete log record is as follows:
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2020-04-20 07:28:44
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2020-04-20 07:28:44 W3SVC4 FENGWENBO 192.168.2.254 GET /picnews.asp - 8004 - 192.168.2.184 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:75.0)+Gecko/20100101+Firefox/75.0 zh_choose=n;+ASPSESSIONIDAQSBBTTA=FHLLDFKCKALEMJAPACIFLDLL http://192.168.2.254:8004/ 192.168.2.254:8004 200 0 0 731 500 327
The meaning of each field is as follows:
| Field value | Field Name | meaning |
|---|---|---|
| 2020-04-20 | Date | Date of the event |
| 07:28:44(+8) | Time | When the activity took place |
| W3SVC4 | Service name (s-sitename) | The number of Internet services and instances of the site accessed by the client |
| FENGWENBO | Server name (s-computername) | The name of the server that generated the log entry. |
| 192.168.2.254 | Server IP (s-ip) | The IP address of the server that generated the log entry |
| GET | Method (cs-method) | Operations performed by the client |
| /picnews.asp | Requested access page (cs-uri-stem) | Client access files |
| Access query string (cs-uri-query) | The query the client is trying to execute (nothing at this time, shown as-) | |
| 8004 | Server port (s-port) | The port where the client connects to the server |
| - | Client username (cs-username) | Anonymous user login, shown as- |
| 192.168.2.184 | Client IP (c-ip) | Real client IP address to access the server |
| HTTP/1.1 | Protocol version (cs-version) | The protocol used by the client |
| Mozilla/5.0 +(Windows+NT+10.0; +Win64;+x64;+rv:75.0) +Gecko/20100101 +Firefox/75.0 |
User agent (cs (User-Agent)) | Browser used on the client |
| zh_choose=n; +ASPSESSION IDAQSBBTTA =FHLLDFKCK ALEMJAPACIFLDLL |
cookie(cs(Cookie)) | 发送或接收的 Cookie 的内容 |
| http://192.168.2.254:8004/ | 引用站点(cs(Referer)) | 用户访问的前一个站点。此站点提供到当前站点的链接。 |
| 192.168.2.254:8004 | 主机(cs-host) | 显示主机头的内容 |
| 200 | 协议返回状态(sc-status) | 以HTTP或FTP表示的操作的状态(200 OK) |
| 0 | HTTP子协议的状态(sc-substatus) | |
| 0 | Win32® 状态(sc-win32-status) | 用 Windows® 使用的术语表示的操作的状态 |
| 731 | 服务器发送的字节数(sc-bytes) | 服务器发送的字节数。 |
| 500 | 服务器接受的字节数(cs-bytes) | 服务器接收的字节数。 |
| 327 | 所用时间(time-taken) | 操作花费的时间长短(亳秒) |