Running: CentOS 6
I'm trying to get a count, total, and sort of all the POST attempts made to a PHP login page on a per IP basis. Basically, the apache log will look like this:
127.0.0.1 - - [10/Dec/2014:12:35:51 -0500] "POST /wp-login.php HTTP/1.0" 200 6520 "-" "-"
127.0.0.1 - - [10/Dec/2014:12:35:51 -0500] "POST /wp-login.php HTTP/1.0" 200 6520 "-" "-"
127.0.0.2 - - [10/Dec/2014:12:35:51 -0500] "POST /wp-login.php HTTP/1.0" 200 6520 "-" "-"
I'd like to be able to issue a command that outputs the results with how many times each IP attempted to POST to the /wp-login.php page. So for the above 3 logs, I'd like to issue a command that returns something like:
2 127.0.0.1 /wp-login.php
1 127.0.0.2 /wp-login.php
What that tells me is how many times each unique IP made a POST to that particular page, and is sorted from highest to lowest (or vice versa).
What I've come up with so far basically prints my needed results, but doesn't "count" or "sort" them. This is what I have:
grep "POST" /var/log/httpd/domains/domain.com.log | grep wp-login.php | awk '{print $1,substr($7,1)}
That command basically prints the first and seventh column (snipped). From what I've been reading and trying, I believe I need to utilize the unique -c and/or sort command, but I can't seem to get it working how I need because I assume the "date" is throwing off the uniqueness of each log so I'm getting a count per IP per date.
If anyone could help me with this, it would be greatly appreciated!
Try doing this :
$ awk '
$6 ~ "POST" && $7 ~ "/wp-login\.php"{ips[$1]++}
END{for (ip in ips) {print ip, ips[ip], "POSTs"}}
' /var/log/httpd/domains/domain.com.log