next up previous contents
Next: Existing Log File Analyzing Up: Using Perl with Web Previous: Listing Access by Document

Looking at the Status Code

It is important for you to periodically check the server's log file in order to determine if unauthorized people are trying to access secured documents. This is done by checking the status code in the log file entries.

Every status code is a three digit number. The first digit defines how your server responded to the request. The last two digits do not have any categorization role. There are five values for the first digit:

Below we list the most common status codes that can appear in your log file. You can find a complete list on the http://www.w3.org/pub/WWW/Protocols/HTTP/1.0/spec.html Web page.

200
-- OK
204
-- No content
301
-- Moved permanently
302
-- Moved temporarily
400
-- Bad Request
401
-- Unauthorized
403
-- Forbidden
404
-- Not found
500
-- Internal server error
501
-- Not implemented
503
-- Service unavailable

Status code 401 is logged when a user attempts to access a secured document and enters an incorrect password. By searching the log file for this code, you can create a report of the failed attempts to gain entry into your site.

The code listing serchlog.pl shows how the log file could be searched for a specific error code-in this case, 401.

serchlog.pl operates as follos:

The Perl for serchlog.pl is as follows:

#!/usr/bin/perl -w


format =
  @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>
  $site,                                  $count
.


format STDOUT_TOP =
  @||||||||||||||||||||||||||||||||||||  Pg @<
  "Unauthorized Access Report",             $%


  Remote Site Name                        Access Count
  --------------------------------------- ------------
.


sub parseLogEntry {
    my($w) = "(.+?)";
    m/^$w $w $w \[$w:$w $w\] "$w $w $w" $w $w/;
    return($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11);
}




$LOGFILE = "access.log";
open(LOGFILE) or die("Could not open log file.");
foreach (<LOGFILE>) {
    ($site, $status) = (parseLogEntry())[0, 9];


    if ($status eq '401') {
        $siteList{$site}++;
    }
}
close(LOGFILE);


@sortedSites = sort(keys(%siteList));


if (scalar(@sortedSites) == 0) {
    print("There were no unauthorized access attempts.\n");
}
else {
    foreach $site (@sortedSites) {
        $count = $siteList{$site};
        write;
    }
}

This program displays:

Unauthorized Access Report        Pg 1
  Remote Site Name                        Access Count
  --------------------------------------- ------------
  ip48-max1-fitch.zipnet.net                     1
  kairos.algonet.se                              4

You can expand this program's usefulness by also displaying the logName and fullName items from the log file.


next up previous contents
Next: Existing Log File Analyzing Up: Using Perl with Web Previous: Listing Access by Document
dave@cs.cf.ac.uk