IIS의 로그를 분석하는 LogParser가 있다.(MS제품군)
Log Parser 2.2 (command line으로 로그분석)
https://www.microsoft.com/en-us/download/details.aspx?id=24659
Log Parser Studio (Log Parser 2.2를 비주얼하게 보여줌)
https://gallery.technet.microsoft.com/Log-Parser-Studio-cd458765
참고:
Log Parser를 이용한 윈도우 이벤트 로그 검사하기
출처: http://iprize.tistory.com/665
Log Parser Rocks! More than 50 Examples!
https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/
IIS로그분서 LogParser:
윈도우서버 Awstats 사용한 IIS 로그분석:
http://itscom.org/archives/4187
REM -- Resource AVG time (order by Error?) "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem as URL ,AVG(time-taken) as Time FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Time.csv GROUP BY URL ORDER BY Time DESC" -i:IISW3C -o:CSV REM -- Web Hit count "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem As URL, Count(*) As Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Hit.csv WHERE sc-status=200 GROUP BY URL ORDER BY URL" -i:IISW3C -o:CSV REM -- Client Agent "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs(User-Agent) As Agent, Count(*) As Count FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Agent.csv GROUP BY Agent ORDER BY Agent DESC" -i:IISW3C -o:CSV REM 1) 가장 최근에 생성된 시간을 기준으로 ASP 스크립트를 변조한 Trojan Files 여부를 진단 "C:\Program Files (x86)\Log Parser 2.2\Logparser" -i:FS "SELECT TOP 20 Path, CreationTime FROM C:\inetpub\wwwroot\*.* ORDER BY CreationTime DESC" -rtp:-1 REM 3). 해커가 Trojan Files을 삭제한 경우에 HTTP 200 서버코드 흔적 로그를 찾는다. (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem') "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status=200 GROUP BY URL ORDER BY URL" -rtp:-1 REM 5) HTTP 서버 500 에러코드 검사 "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT [cs-uri-stem], [cs-uri-query], Count(*) AS [Hits] FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status = 500 GROUP BY [cs-uri-stem], [cs-uri-query] ORDER BY [hits], [cs-uri-stem] DESC" -rtp:-1 -i:iisw3c REM 6) 가장 많은 Request Hit 수를 높음 ASP, DLL 파일 확인 (Error: SELECT clause: Syntax Error: unknown field 'date') "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1 REM 7) 시간당 에러수가 가장 많이 발생한 날짜 확인 (Error: SELECT clause: Syntax Error: unknown field 'date' / 'time') "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Error DESC" -rtp:-1 REM 10) 모든 ASP 에러 기록 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-query') REM * 특히, ODBC와 ADO 에러는 SQL Injection 가능성이 있으므로 주의깊게 살펴봐야 함 "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-query, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC" -rtp:-1 REM 11) 스크립트 및 Executable 파일의 HTTP 서버 코드 기록 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem') "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1 REM 12) Win32 Status Code 분석을 통한 Attack 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem') "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) AS Error, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-win32-status>0 AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1
REM 13) HTTP Method 통계 분석 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem) "C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1 "C:\Program Files (x86)\Log Parser 2.2\Logparser" "Select top 50 to_int(mul(100.0,PropCount(*))) as Percent, count(*) as TotalHits, cs(User-Agent) as Browser from C:\inetpub\logs\LogFiles\W3SVC1\*.* group by Browser order by Totalhits desc" |
'Server관련 > Sever(OS)' 카테고리의 다른 글
| TiWorker.exe 디스크 사용량 높을때, 수정하기 (0) | 2017.12.22 |
|---|---|
| MsMpEng.exe 의 시스템 점유율 낮추기 (CPU, Memory) Windows Defender 끄기 (2) | 2017.12.20 |
| Window 10 Start menu 에 프로그램 링크 넣기 (0) | 2017.12.09 |
| Window 10 (multi-edition) 과 Windows 10 (multi-edition) VL 차이점 (0) | 2017.12.01 |
| Windows 10 배달최적화 파일 삭제 (패치 업데이트 공유) (0) | 2017.11.09 |
| live.com 로그인 화면이 한글로 나올때, 기본 영어로 변경법 (0) | 2017.11.04 |
| Windows Server 2012 R2 IIS에 PHP 설치 및 MSSQL연결 +(WebKnight/AWStats링크만) (0) | 2017.10.14 |
| IIS Log 파일 삭제하기 (Managing IIS Log File Storage) (0) | 2017.10.04 |
(로그인하지 않으셔도 가능)