Server관련/Sever(OS)

IIS 로그분석 LogParser

saltdoll 2017. 11. 29. 03:40
반응형

IIS의 로그를 분석하는 LogParser가 있다.(MS제품군)


Log Parser 2.2 (command line으로 로그분석)

https://www.microsoft.com/en-us/download/details.aspx?id=24659 


Log Parser Studio (Log Parser 2.2를 비주얼하게 보여줌) 

https://gallery.technet.microsoft.com/Log-Parser-Studio-cd458765






참고: 

Log Parser를 이용한 윈도우 이벤트 로그 검사하기
출처: http://iprize.tistory.com/665


Log Parser Rocks! More than 50 Examples!

https://mlichtenberg.wordpress.com/2011/02/03/log-parser-rocks-more-than-50-examples/


IIS로그분서 LogParser:

http://www.jkun.net/262


윈도우서버 Awstats 사용한 IIS 로그분석: 

http://itscom.org/archives/4187 



REM -- Resource AVG time (order by Error?)

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem as URL ,AVG(time-taken) as Time FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Time.csv GROUP BY URL ORDER BY Time DESC" -i:IISW3C -o:CSV


REM -- Web Hit count

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem As URL, Count(*) As Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Hit.csv WHERE sc-status=200 GROUP BY URL ORDER BY URL" -i:IISW3C -o:CSV


REM -- Client Agent

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs(User-Agent) As Agent, Count(*) As Count FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* to c:\unix\Agent.csv GROUP BY Agent ORDER BY Agent DESC" -i:IISW3C -o:CSV



REM 1) 가장 최근에 생성된 시간을 기준으로 ASP 스크립트를 변조한 Trojan Files 여부를 진단

"C:\Program Files (x86)\Log Parser 2.2\Logparser" -i:FS "SELECT TOP 20 Path, CreationTime FROM C:\inetpub\wwwroot\*.* ORDER BY CreationTime DESC" -rtp:-1  




REM 3). 해커가 Trojan Files을 삭제한 경우에 HTTP 200 서버코드 흔적 로그를 찾는다. (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem')

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status=200 GROUP BY URL ORDER BY URL"    -rtp:-1   




REM 5) HTTP 서버 500 에러코드 검사

"C:\Program Files (x86)\Log Parser 2.2\Logparser"  "SELECT [cs-uri-stem], [cs-uri-query], Count(*) AS [Hits] FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status = 500 GROUP BY [cs-uri-stem], [cs-uri-query] ORDER BY [hits], [cs-uri-stem] DESC" -rtp:-1 -i:iisw3c



REM 6) 가장 많은 Request Hit 수를 높음 ASP, DLL 파일 확인 (Error: SELECT clause: Syntax Error: unknown field 'date')

"C:\Program Files (x86)\Log Parser 2.2\Logparser"  "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1  



REM 7) 시간당 에러수가 가장 많이 발생한 날짜 확인 (Error: SELECT clause: Syntax Error: unknown field 'date' / 'time')

"C:\Program Files (x86)\Log Parser 2.2\Logparser"  "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Error DESC" -rtp:-1  




REM 10)  모든 ASP 에러 기록 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-query')

REM * 특히, ODBC와 ADO 에러는 SQL Injection 가능성이 있으므로 주의깊게 살펴봐야 함

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-query, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC" -rtp:-1  



REM 11) 스크립트 및 Executable 파일의 HTTP 서버 코드 기록 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem')

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1  


REM 12) Win32 Status Code 분석을 통한 Attack 확인 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem')

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) AS Error, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE sc-win32-status>0 AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1 

  


REM 13) HTTP Method 통계 분석 (Error: SELECT clause: Syntax Error: unknown field 'cs-uri-stem)

"C:\Program Files (x86)\Log Parser 2.2\Logparser" "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM C:\inetpub\logs\LogFiles\W3SVC1\*.* WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1   



"C:\Program Files (x86)\Log Parser 2.2\Logparser" "Select top 50 to_int(mul(100.0,PropCount(*))) as Percent, count(*) as TotalHits, cs(User-Agent) as Browser from C:\inetpub\logs\LogFiles\W3SVC1\*.* group by Browser order by Totalhits desc" 





반응형
도움이 되셨다면 하트모양의 "♡ 공감"을 눌러주시면 큰 격려가 됩니다.
(로그인하지 않으셔도 가능)