2009
12.05

using grep to filter ip logs

Category: musings / Tag:  / Add Comment
using-grep-to-filter-ip-logs

I like to view my server log for my website three or
four times a day just to see what’s going on. Only thing
is, at the moment, I visit my website more than any other
visitors so my own ip address in the log overwhelms the
others in there, making it hard to see who is visiting.
Besides myself, of course. I thought a while about how
to strip the log of my own ip address so it would just leave
the others to view. I investigated the “sed” command as
I thought it might be useful but after some more thought
and investigation I realized the “grep” command would suit
my needs.

I discovered that grep has a negative filter for stripping
out lines from a file. I didn’t know this until I read the
manual. I guess that’s why they always say RTFM. Anyway,
here is an example what I came up with:

  1. I download my website log from my webpage provider.
    It’s in a gz form.
  2. Open up your favorite terminal program and change directory
    to where the file has been downloaded and “gunzip access_log_20091204.gz”
    or whatever the log file is named.
  3. The former gz log should now be in standard text form
    with the “gz” suffix removed. Now do a:
    “grep -v xx.xx.xxx.xxx access_log_20091204 > stripped_20091204.log”
    Replace the x’s with your own ip address.
  4. Read the resulting “stripped_20091204.log” with your favorite
    text editor. Your own ip address visitations will be out of the way.

The output of the grep command, represented in the above example
by “stripped_20091204.log”, can be any name you want it to be. Also my
example of “access_log_20091204″ is just that, an example, and your
filename will be different.

The -v option of the grep command tells grep to select non-matching
lines, in effect stripping out lines with your ip address in them.

After some more thinking and Google search on this subject, I came up
with an almost one-liner. Assuming you’ve already downloaded your ip log
file and it is called, for example, “access_log_20091207.gz” and you have
gedit on your system and know your own ip address, you could try this
one-liner:

“zgrep -v xx.xxx.xxx.xx access_log_20091207.gz > log | gedit log”

Replace the x’s with your own ip address. zgrep gunzips and greps
at the same time, saving a step.

teryc

No Comment.

Add Your Comment

Your Comment