Log monitor/notifier
January 5, 2006 10:05 PM   Subscribe

Does anybody know a script that will monitor your server logs and notify you when a specific IP (or user agent) hits your site?
posted by jedro to Computers & Internet (8 answers total)
You could hack one up in Perl in a few minutes.
posted by polyglot at 11:00 PM on January 5, 2006

Response by poster: Yes, if I knew Perl.
posted by jedro at 11:16 PM on January 5, 2006

ah. This google search seems like it could be useful, in particular this paper. Or maybe some variation on this.
posted by polyglot at 11:33 PM on January 5, 2006

Uh... OS? web platform? preferred scripting language?

Details, please.
posted by hincandenza at 9:40 AM on January 6, 2006

whlie ( true ) 
    if ( grep whatever access_log )
        echo "Hit!  HIT!" | mail notify@example.com
    sleep 10

posted by sfenders at 9:57 AM on January 6, 2006

Re-grepping a huge access log every 10 seconds might not be terribly CPU-friendly.

If you know they'll hit before the log is rotated and you don't mind looking at the terminal window every once in a while, this works:

tail -f /var/log/apache/access.log | grep ^

Alternatively, something like this could work if you can leave it running on your server:
#!/usr/bin/perl -w

use strict;

my $recipient = shift || "root";
my $host = shift || "";
my $log = shift || "/var/log/apache/access.log";

open LOG, "<$log" or die "Couldn't open $log for reading: $!";
seek LOG, 0, 2; # seek to end
while (1) {
        sleep 1;
        seek LOG, 0, 1; # re-seek to current position

        my $pos = tell(LOG);
        my $size = -s $log;

        if ($size < $pos) {
                # ah ha! the log hath been rotated!
                close LOG;
                open LOG, "<$log" or die "Couldn't open $log for reading: $!";

        while (<LOG>) {
                next unless /^\Q$host\E/;
                my $msg = scalar localtime() . ": $host has accessed the server";
                `echo | mail -s '$msg' $recipient`;
Run it with perl access_log_monitor.pl user@example.com /var/log/apache/access.log &.

I am making big assumptions here that you've got Perl and Apache and shell access to the server and all. Hope this is at least somewhat helpful.
posted by xiojason at 11:29 AM on January 6, 2006

If he is using Apache, wouldn't it be easier and less overhead to mod_rewrite for the targeted IP/referrer to a custom page or action which triggers a notification? Seems you would avoid the constant checking of the user logs -- which might be good since a number of web hosts either don't give you real-time access to them or they badly lag, whereas a redirect is cleanly automatic without hammering the logs. Non-Apache IIS also supports automatic redirection.

My mod_rewrite/redirect experience has thus far remained in the realm of theory, so maybe I'm missing something.
posted by mdevore at 12:21 PM on January 6, 2006

Response by poster: I'm using Apache
posted by jedro at 2:42 PM on January 6, 2006

« Older Lack of rectal exams = malpractice?   |   pump up the volume Newer »
This thread is closed to new comments.