Web Server Log Analysis: Identifying Attacks and Breaches
Table of Contents
- Introduction
- Understanding Web Server Logs
- Apache Logs
- Nginx Logs
- Cloudflare Logs
- Common Attack Patterns in Logs
- Brute Force Attacks
- SQL Injection Attempts
- Cross-Site Scripting (XSS)
- Directory Traversal & LFI/RFI
- DDoS & Rate Limiting
- Tools for Log Analysis
- GoAccess (Real-time log analyzer)
- ELK Stack (Elasticsearch, Logstash, Kibana)
- Graylog (Centralized log management)
- AWStats (Web analytics)
- Fail2Ban (Automated intrusion prevention)
- Automated Detection with Scripts
- Python Script for Suspicious IP Detection
- Bash Script for High-Frequency Requests
- Case Study: Analyzing a Real-World Breach
- Best Practices for Log Monitoring
- Resources & References
- Disclaimer
1. Introduction
Web server logs are a goldmine for cybersecurity professionals. They record every request made to a server, including malicious attempts. By analyzing logs from Apache, Nginx, and Cloudflare, security teams can detect attacks early, investigate breaches, and harden defenses.This guide covers:
- How to read and interpret logs
- Common attack signatures
- Tools for automated analysis
- Scripts to detect intrusions
2. Understanding Web Server Logs
Apache Logs
Apache logs are typically found in:/var/log/apache2/access.log(standard requests)/var/log/apache2/error.log(errors, including attack attempts)
Bash:
192.168.1.100 - - [28/Apr/2025:14:30:22 +0000] "GET /admin.php HTTP/1.1" 200 4325 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36"- 192.168.1.100 → Attacker’s IP
- GET /admin.php → Suspicious access to admin panel
- 200 → HTTP success (may indicate unauthorized access)
Nginx Logs
Nginx logs are usually in:/var/log/nginx/access.log/var/log/nginx/error.log
Bash:
203.0.113.45 - - [28/Apr/2025:14:35:12 +0000] "POST /wp-login.php HTTP/1.1" 404 153 "-" "python-requests/2.25.1"- POST /wp-login.php → Possible brute force attempt
- 404 → Failed request (may indicate probing)
Cloudflare Logs
Cloudflare provides enhanced logs (Enterprise plan) with:- HTTP request details
- Security flags (e.g., WAF blocks, bot detection)
JSON:
{
"ClientIP": "198.51.100.3",
"RequestMethod": "GET",
"RequestURI": "/?id=1' OR 1=1--",
"UserAgent": "sqlmap/1.6#stable",
"EdgeResponseStatus": 403,
"WAFAction": "block"
}- SQL Injection attempt (
1' OR 1=1--) - Blocked by WAF (403)
3. Common Attack Patterns in Logs
Brute Force Attacks
- Pattern: Repeated
POST /wp-login.phpor/adminrequests - Detection:
Bash:
grep "POST /wp-login.php" /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -nrSQL Injection Attempts
- Pattern: Queries with
' OR 1=1,UNION SELECT,-- - Detection:
Bash:
grep -E "'.*OR.*1=1|UNION SELECT|\-\-" /var/log/apache2/access.logCross-Site Scripting (XSS)
- Pattern:
<script>,alert(,javascript:in URLs - Detection:
Bash:
grep -iE "<script>|alert\(|javascript:" /var/log/nginx/access.logDirectory Traversal & LFI/RFI
- Pattern:
../,/etc/passwd,?file=http://evil.com/shell.php - Detection:
Bash:
grep -E "\.\./|/etc/passwd|\?file=http" /var/log/apache2/access.logDDoS & Rate Limiting
- Pattern: Too many requests from a single IP
- Detection with [/CODE]netstat[/ICODE]:
Bash:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n4. Tools for Log Analysis
| Tool | Purpose | Link |
| GoAccess | Real-time log visualization |
This link is hidden for visitors. Please Log in or register now.
|
| ELK Stack | Log aggregation & dashboards |
This link is hidden for visitors. Please Log in or register now.
|
| Graylog | Centralized log management |
This link is hidden for visitors. Please Log in or register now.
|
| AWStats | Web traffic analytics |
This link is hidden for visitors. Please Log in or register now.
|
| Fail2Ban | Ban malicious IPs automatically |
This link is hidden for visitors. Please Log in or register now.
|
5. Automated Detection with Scripts
Python Script to Detect Suspicious IPs
Python:
import re
from collections import Counter
log_file = "/var/log/nginx/access.log"
suspicious_ips = []
with open(log_file, "r") as f:
for line in f:
if re.search(r"(union select|\.\./|1=1|script>)", line, re.I):
ip = line.split()[0]
suspicious_ips.append(ip)
print("Suspicious IPs:", Counter(suspicious_ips).most_common(10))Bash Script for High-Frequency Requests
Python:
#!/bin/bash
LOG="/var/log/apache2/access.log"
THRESHOLD=100
echo "IPs with too many requests:"
awk '{print $1}' $LOG | sort | uniq -c | sort -nr | while read count ip; do
if [ $count -gt $THRESHOLD ]; then
echo "$ip: $count requests"
fi
done6. Case Study: Analyzing a Real-World Breach
Scenario: A WordPress site was compromised via a plugin vulnerability.Log Findings:
- Multiple
POST /wp-admin/admin-ajax.phprequests with long parameters. - SQL errors in
error.logindicating database manipulation. - A sudden spike in traffic from a single IP.
- Blocked the attacker’s IP via
.htaccess. - Updated plugins and enabled WAF rules.
7. Best Practices for Log Monitoring
Enable detailed logging (Apache: LogLevel debug, Nginx: error_log /var/log/nginx/error.log warn;) Centralize logs (Use ELK or Graylog) Automate alerts (Fail2Ban, custom scripts) Regularly audit logs (Daily checks for anomalies)8. Resources & References
-
This link is hidden for visitors. Please Log in or register now.
-
This link is hidden for visitors. Please Log in or register now.
-
This link is hidden for visitors. Please Log in or register now.
9. Disclaimer
This article is for educational purposes only. Always ensure you have proper authorization before analyzing logs on systems you do not own. The author is not responsible for any misuse of the techniques discussed.By mastering log analysis, cybersecurity professionals can detect attacks early, respond faster, and secure web applications more effectively.
