[clue] identifying an IP address based on apache logs?
Jim Ockers
ockers at ockers.net
Thu May 17 11:49:00 MDT 2012
Mr. Bean:
What do you mean what "account" the IP address is associated with? What
kind of account? Account on what/where? If you could be a lot more
specific about your question we could be a lot more helpful. If your
apache web server is writing its logfiles in the unified log format,
then you will see lines that look like this:
180.76.5.148 - - [17/May/2012:10:38:55 -0600] "GET / HTTP/1.1" 200 9451
"-" "Mozilla/5.0 (compatible; Baiduspider/2.0;
+http://www.baidu.com/search/spider.html)"
The second - after the IP address is where the username (account) that
apache authenticated would be. If you're using some authentication
scheme (like basic-http with .htpasswd files, for instance), then the
logfile line might look like this:
69.1.1.1 - ockers [17/May/2012:11:38:47 -0600] "GET /index.php HTTP/1.1"
200 3862
In this way you could associate an IP address with a basic-http user.
Note that there could be more than user logging in from the same IP
address. You might have your web server configured to write log files
in a short or abbreviated format instead of the longer format, but you
can look in the httpd.conf to see what the logfile format is. Since you
didn't say what kind of account or what authentication scheme or system
you're using I can't suggest anything further.
I hope this helps,
Jim
--
Jim Ockers, P.E., P.Eng. (ockers at ockers.net)
Contact info: http://www.ockers.net/
Mike Bean wrote:
> Attempting to try to solve a request of sorts, names changed to
> protect the innocent.
>
> I know that Apache can be configured to deny requests from a specific
> IP, and I have the account information of someone specific to deny,
> but I can't quite seem to get over the last hurdle of associating an
> IP address with an account. Rooting around in the access logs has
> yet to produce an instance of his username.
>
> In short, I thought I'd ask if the clue-denziens have advice for
> identifying a given apache users IP address?
>
> befuddled as usual,
>
> Bean
> ------------------------------------------------------------------------
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120517/16a539d2/attachment.html
More information about the clue
mailing list