Looking at the Status Code

It is important for you to periodically check the server's log file in order to determine if unauthorized people are trying to access secured documents. This is done by checking the status code in the log file entries.

Every status code is a three digit number. The first digit defines how your server responded to the request. The last two digits do not have any categorization role. There are five values for the first digit:

• 1xx: Informational-Not used, but reserved for future use
• 2xx: Success-The action was successfully received, understood, and accepted.
• 3xx: Redirection - Further action must be taken in order to complete the request.
• 4xx: Client Error - The request contains bad syntax or cannot be fulfilled.
• 5xx: Server Error - The server failed to fulfill an apparently valid request.

Below we list the most common status codes that can appear in your log file. You can find a complete list on the http://www.w3.org/pub/WWW/Protocols/HTTP/1.0/spec.html Web page.

200

-- OK

204

-- No content

301

-- Moved permanently

302

-- Moved temporarily

400

-- Bad Request

401

-- Unauthorized

403

-- Forbidden

404

-- Not found

500

-- Internal server error

501

-- Not implemented

503

-- Service unavailable

Status code 401 is logged when a user attempts to access a secured document and enters an incorrect password. By searching the log file for this code, you can create a report of the failed attempts to gain entry into your site.

The code listing serchlog.pl shows how the log file could be searched for a specific error code-in this case, 401.

serchlog.pl operates as follos:

• Turn on the warning option.
• Define a format for the report's detail line.
• Define a format for the report's header line.
• Define the parseLogEntry() function.
• Declare a local variable to hold the pattern that matches a single item.
• Use the matching operator to extract information into pattern memory.
• Return a list that contains the 11 items extracted from the log entry.
• Open the logfile.
• Iterate over each line of the logfile.
• Parse the entry to extract the 11 items but only keep the site information and the status code that was requested.
• If the status code is 401 then save the increment the counter for that site.
• Close the log file.
• Check the site name to see if it has any entries. If not, display a message that says no unauthorized accesses took place.
• Iterate over the hash that holds the site names.
• Write out each hash entry in a report.

The Perl for serchlog.pl is as follows:

#!/usr/bin/perl -w


format =
  @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>
  $site,                                  $count
.


format STDOUT_TOP =
  @||||||||||||||||||||||||||||||||||||  Pg @<
  "Unauthorized Access Report",             $%


  Remote Site Name                        Access Count
  --------------------------------------- ------------
.


sub parseLogEntry {
    my($w) = "(.+?)";
    m/^$w $w $w \[$w:$w $w\] "$w $w $w" $w $w/;
    return($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11);
}




$LOGFILE = "access.log";
open(LOGFILE) or die("Could not open log file.");
foreach (<LOGFILE>) {
    ($site, $status) = (parseLogEntry())[0, 9];


    if ($status eq '401') {
        $siteList{$site}++;
    }
}
close(LOGFILE);


@sortedSites = sort(keys(%siteList));


if (scalar(@sortedSites) == 0) {
    print("There were no unauthorized access attempts.\n");
}
else {
    foreach $site (@sortedSites) {
        $count = $siteList{$site};
        write;
    }
}

This program displays:

Unauthorized Access Report        Pg 1
  Remote Site Name                        Access Count
  --------------------------------------- ------------
  ip48-max1-fitch.zipnet.net                     1
  kairos.algonet.se                              4

You can expand this program's usefulness by also displaying the logName and fullName items from the log file.