Skip to main content
Websec Logo
Blog May 30, 2010

egrepping mod_security logs

A handy set of egrep one-liners for pulling the most useful information out of mod_security logs, including top user agents, HTTP status codes, referrers, and the scripts most frequently targeted by attackers.

Share this article:
egrepping mod_security logs

Today I'd like to share a couple of commands to extract interesting information from your mod_security logs.

Lists user agents ordered by the number of occurrences.

egrep 'User-Agent' modsec_audit.log | sort | uniq -c | sort -rn

Lists all HTTP codes in requests

egrep "^HTTP/" modsec_audit.log | sed  "s/HTTP\/[01].[019] //g" | sort | uniq

Lists referrers and counts occurrences.

egrep 'Referer' modsec_audit.log | sort | uniq -c | sort -rn

And simple variations to see the most attacked scripts.

egrep 'GET' modsec_audit.log | sort | uniq -c | sort -rn

egrep 'POST' modsec_audit.log | sort | uniq -c | sort -rn

Subscribe to our Newsletter

Get the latest cybersecurity insights and updates delivered to your inbox.

Subscribe Now RSS Feed

Related Articles

Discover more cybersecurity insights and solutions to help strengthen your organization's security posture

A Comparison Between the Real User ID and the Effective User ID is not Enough to Prevent Privilege Escalation
Blog October 3, 2023

A Comparison Between the Real User ID and the Effective User ID is not Enough to Prevent Privilege Escalation

In Unix-like systems, processes have a real and effective user ID determining their access permissions. While usually identical, they can differ in situations like when the setuid bit is activated in executables.

Read full article
Websec DevSecOps Webinar
Blog August 29, 2022

Websec DevSecOps Webinar

Roberto Salgado and Kobalt.io's Miki Fukushima are hosting a free webinar on September 20, 2022 covering why application security matters, the shift to developer-first security, and a practical roadmap for embedding security into DevSecOps.

Read full article
CVE-2022-21404: Another story of developers fixing vulnerabilities unknowingly because of CodeQL
Blog May 19, 2022

CVE-2022-21404: Another story of developers fixing vulnerabilities unknowingly because of CodeQL

How CodeQL may help reduce false negatives within Open-Source projects. Taking a look into a deserialization vulnerability within Oracle Helidon (CVE-2022-21404).

Read full article
View All Blog Posts