In the realm of web server management, security is a paramount concern. One effective strategy for identifying and mitigating potential threats is continuously monitoring server logs. In this blog post, we’ll explore a custom script designed to monitor Apache logs, for all of your user accounts, and highlight specific patterns associated with security risks.
Script Overview:
#!/bin/bash
# This file displays all of the logs for web accocunts with highlighted words in a constant stream.
# By Tom McGuire - VisualMoxie.com
shopt -s extglob
export GREP_COLOR='1;37;41'
tail -f /var/log/apache2/domlogs/!(*bytes*) -f /usr/local/cpanel/logs/access_log | grep --color=auto -E '(^cpanel|stdin|eval|wp-config.php|SEO|seo|Seo|bot|Ubuntu|xmlrpc|spider|spider|python|crawler|Crawler|wp-login|login|wp-admin|zoom|curl|exec|passthru|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile)'
Breaking Down the Script:
- Extended Globbing Enabled:
shopt -s extglob
This line activates extended pattern-matching features in Bash, allowing for more advanced pattern matching during file path expansion.
- Color-Coded Output:
export GREP_COLOR='1;37;41'
The script sets the
GREP_COLOR
environment variable to ‘1;37;41’, configuring the color of matched text when using thegrep
command. In this case, it represents bold white text on a red background. - Continuous Log Monitoring:
tail -f /var/log/apache2/domlogs/!(*bytes*) -f /usr/local/cpanel/logs/access_log
The
tail
command is used to continuously display the contents of two log files. The first file, located in/var/log/apache2/domlogs/
, excludes files ending with “bytes” using extended globbing. The second file is/usr/local/cpanel/logs/access_log
. - Pattern-Based Filtering:
| grep --color=auto -E '...'
The output from
tail
is piped togrep
, which searches for lines matching a specified extended regular expression pattern. The--color=auto
option enables colored output for matched text. The pattern targets potential security threats or suspicious activities in web server logs.
This script is a valuable tool for enhancing web server security by providing real-time monitoring of logs and highlighting entries that match predefined patterns associated with security risks. The color-coded output aids in quickly identifying and responding to potential threats, making it an essential addition to the toolkit of server administrators focused on maintaining a secure online environment.