Extract data from log file in specified range of time [duplicate] - bash

This question already has answers here:
Filter log file entries based on date range
(5 answers)
Closed 6 years ago.
I want to extract information from a log file using a shell script (bash) based on time range. A line in the log file looks like this:
172.16.0.3 - - [31/Mar/2002:19:30:41 +0200] "GET / HTTP/1.1" 200 123 "" "Mozilla/5.0 (compatible; Konqueror/2.2.2-2; Linux)"
i want to extract data specific intervals. For example I need to look only at the events which happened during the last X minutes or X days ago from the last recorded data. I'm new in shell scripting but i have tried to use grep command.


You can use sed for this. For example:
$ sed -n '/Feb 23 13:55/,/Feb 23 14:00/p' /var/log/mail.log
Feb 23 13:55:01 messagerie postfix/smtpd[20964]: connect from localhost[127.0.0.1]
Feb 23 13:55:01 messagerie postfix/smtpd[20964]: lost connection after CONNECT from localhost[127.0.0.1]
Feb 23 13:55:01 messagerie postfix/smtpd[20964]: disconnect from localhost[127.0.0.1]
Feb 23 13:55:01 messagerie pop3d: Connection, ip=[::ffff:127.0.0.1]
...
How it works
The -n switch tells sed to not output each line of the file it reads (default behaviour).
The last p after the regular expressions tells it to print lines that match the preceding expression.
The expression '/pattern1/,/pattern2/' will print everything that is between first pattern and second pattern. In this case it will print every line it finds between the string Feb 23 13:55 and the string Feb 23 14:00.
More info here


Use grep and regular expressions, for example if you want 4 minutes interval of logs:
grep "31/Mar/2002:19:3[1-5]" logfile
will return all logs lines between 19:31 and 19:35 on 31/Mar/2002.
Supposing you need the last 5 days starting from today 27/Sep/2011 you may use the following:
grep "2[3-7]/Sep/2011" logfile


well, I have spent some time on your date format.....
however, finally i worked it out..
let's take an example file (named logFile), i made it a bit short.
say, you want to get last 5 mins' log in this file:
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:20:41 +0200] "GET
### lines below are what you want (5 mins till the last record)
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:27:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:30:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:30:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:30:41 +0200] "GET
172.16.0.3 - - [31/Mar/2002:19:30:41 +0200] "GET
here is the solution:
# this variable you could customize, important is convert to seconds.
# e.g 5days=$((5*24*3600))
x=$((5*60)) #here we take 5 mins as example
# this line get the timestamp in seconds of last line of your logfile
last=$(tail -n1 logFile|awk -F'[][]' '{ gsub(/\//," ",$2); sub(/:/," ",$2); "date +%s -d \""$2"\""|getline d; print d;}' )
#this awk will give you lines you needs:
awk -F'[][]' -v last=$last -v x=$x '{ gsub(/\//," ",$2); sub(/:/," ",$2); "date +%s -d \""$2"\""|getline d; if (last-d<=x)print $0 }' logFile
output:
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:27:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:30:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:30:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:30:41 +0200 "GET
172.16.0.3 - - 31 Mar 2002 19:30:41 +0200 "GET
EDIT
you may notice that in the output the [ and ] are disappeared. If you do want them back, you can change the last awk line print $0 -> print $1 "[" $2 "]" $3


I used this command to find last 5 minutes logs for particular event "DHCPACK", try below:
$ grep "DHCPACK" /var/log/messages | grep "$(date +%h\ %d) [$(date --date='5 min ago' %H)-$(date +%H)]:*:*"


You can use this for getting current and log times:
#!/bin/bash
log="log_file_name"
while read line
do
current_hours=`date | awk 'BEGIN{FS="[ :]+"}; {print $4}'`
current_minutes=`date | awk 'BEGIN{FS="[ :]+"}; {print $5}'`
current_seconds=`date | awk 'BEGIN{FS="[ :]+"}; {print $6}'`
log_file_hours=`echo $line | awk 'BEGIN{FS="[ [/:]+"}; {print $7}'`
log_file_minutes=`echo $line | awk 'BEGIN{FS="[ [/:]+"}; {print $8}'`
log_file_seconds=`echo $line | awk 'BEGIN{FS="[ [/:]+"}; {print $9}'`
done < $log
And compare log_file_* and current_* variables.

Related

how to use cat | awk | xargs sed to replace a char

I wrote a little bash script to parse Apache Access log to count POST|GET request.
My script works fine but I have a little graphical issue when I want to remove "[" char from the date field return by awk command.
Here is my script:
clear
ls /var/log/httpd | egrep *access_log$ > temp.txt
while read line
do
linecount=$(cat /var/log/httpd/"$line" | wc -l)
#echo -e "$line"
#echo -e "$linecount"
if [ $linecount -gt 0 ]
then
echo -e "==========================================="
echo -e "$line"
echo -e "Date de debut du log :"
cat /var/log/httpd/"$line" | awk -v ligne=1 'NR == ligne, FS=":" {print $4}' | xargs -0 sed -i 's/\[//g'
echo -e "Date de fin du log :"
cat /var/log/httpd/"$line" | awk 'END {print $4}'
echo -e "Nombre de requêtes sur la période :"
egrep -i 'post|get' /var/log/httpd/"$line" | wc -l
fi
linecount=0
done < temp.txt
rm -f temp.txt
An example of standard output of this code looks like this :
===========================================
xxx.xxx.xxx-ssl_access_log
Date de debut du log :
sed: impossible de lire [01/Jan/2021:07:34:59
: Aucun fichier ou dossier de ce type
Date de fin du log :
[22/Jan/2021:07:44:44
Nombre de requêtes sur la période :
22
Why can't sed use the string piped by awk?
How can I correct it ?
Below an example of log imput file :
54.36.148.55 - - [29/Dec/2020:18:05:38 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.149.92 - - [29/Dec/2020:18:05:38 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.185 - - [30/Dec/2020:17:51:06 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.77 - - [31/Dec/2020:17:19:18 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.97 - - [31/Dec/2020:17:19:19 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.61 - - [01/Jan/2021:14:45:59 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.151 - - [02/Jan/2021:16:26:22 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.71 - - [02/Jan/2021:16:26:24 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.108 - - [03/Jan/2021:15:21:28 +0100] "GET / HTTP/1.1" 200 2394
208.100.26.249 - - [03/Jan/2021:23:15:13 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.95 - - [04/Jan/2021:15:28:31 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.202 - - [04/Jan/2021:15:28:32 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.24 - - [05/Jan/2021:14:44:52 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.184 - - [06/Jan/2021:15:00:55 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.149.54 - - [06/Jan/2021:15:00:55 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.185 - - [07/Jan/2021:14:03:13 +0100] "GET / HTTP/1.1" 200 2394
51.158.103.247 - - [08/Jan/2021:12:31:33 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.17 - - [08/Jan/2021:14:10:18 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.185 - - [08/Jan/2021:14:10:19 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.101 - - [09/Jan/2021:14:17:39 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.94 - - [09/Jan/2021:14:17:40 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.103 - - [10/Jan/2021:15:21:24 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.68 - - [10/Jan/2021:15:21:24 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.208 - - [11/Jan/2021:18:15:40 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.149.78 - - [11/Jan/2021:18:15:41 +0100] "GET / HTTP/1.1" 200 2394
54.36.148.64 - - [12/Jan/2021:20:37:08 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.149.38 - - [12/Jan/2021:20:37:09 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.66 - - [13/Jan/2021:20:40:09 +0100] "GET /robots.txt HTTP/1.1" 404 159
54.36.148.203 - - [13/Jan/2021:20:40:10 +0100] "GET / HTTP/1.1" 200 2394
51.158.127.119 - - [14/Jan/2021:11:41:05 +0100] "GET / HTTP/1.1" 200 2394
51.15.251.143 - - [14/Jan/2021:11:52:04 +0100] "GET / HTTP/1.1" 200 2394
54.36.149.76 - - [14/Jan/2021:20:05:36 +0100] "GET / HTTP/1.1" 200 2394
208.100.26.243 - - [18/Jan/2021:10:20:00 +0100] "GET / HTTP/1.1" 200 2394
208.100.26.248 - - [25/Jan/2021:04:10:37 +0100] "GET / HTTP/1.1" 200 2394

Using awk as a "complete" solution
awk 'FNR==1 {
gsub("[[]","",$4);
sdat=$4 # When the file record number (FNR) is 1, remove [ from the 4th space separated field with gsub and set sdat to this field
}
ENDFILE {
gsub("[[]","",$4);
fdat=$4; # When we reach the end of each file, remove [ gain from the 4th field and set fdat to this field
print "==========================================="
print FILENAME # Print the filename using awk's FILENAME variable
print "Date de debut du log :" # Print the data required
print sdat
print "Date de fin du log :"
print fdat
print "Nombre de requêtes sur la période :"
print FNR # Print the total number of records in the file (file number record)
} ' /var/log/httpd/*access_log

# user15097052 : you'll absolutely love the insane power afforded by AWK. It's great because of its simplicity - it doesn't come with every bell and whistle, but for the building blocks it does, they do it REALLY well.
These days I pretty much avoid touching wc, sed, cut, and the majority of the time, I prefer not having to deal with perl or python3. The URL encode/decode module on python3 slows me down compared to awk.

Find cc attack IPs use shell scripts by log files

I have a history web log files like this:
157.15.14.19 - - 06 Sep 2016 09:13:10 +0300 "GET /index.php?id=1 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:13:11 +0300 "GET /index.php?id=2 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:13:12 +0300 "GET /index.php?id=3 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:14:13 +0300 "GET /index.php?id=4 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:14:14 +0300 "GET /index.php?id=5 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:15:15 +0300 "GET /index.php?id=6 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:15:16 +0300 "GET /index.php?id=7 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:15:17 +0300 "GET /index.php?id=8 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:16:10 +0300 "GET /index.php?id=9 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:16:10 +0300 "GET /index.php?id=10 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
8.8.8.8 - - 06 Sep 2016 09:17:10 +0300 "GET /index.php?id=11 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
9.9.9.9 - - 06 Sep 2016 09:17:10 +0300 "GET /index.php?id=12 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:18:10 +0300 "GET /index.php?id=13 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:19:10 +0300 "GET /index.php?id=14 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:19:10 +0300 "GET /index.php?id=15 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:20:10 +0300 "GET /index.php?id=15 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
123.123.123.123 - - 06 Sep 2016 09:21:10 +0300 "GET /index.php?id=15 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.15.14.19 - - 06 Sep 2016 09:22:10 +0300 "GET /index.php?id=15 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
I want find out the cc attack IPs,only through the yesterday web log files
This example , I sign a cc attack :
every 5 minutes,The same remote ip request counts more than 5, the ip will a cc attack and print it.
The log file is all day,and only use bash scripts, just like awk,cat,gawk,sed and so..
Please me some suggest, Thanks a lot.
Update:
I try wite the test script (per 2minutes the same request count>5)
yy#yy:/tmp/tb$ cat 5.txt |awk '{print $7,$1}' |awk -F: '{print $1*60+int($2/2),$0}' |sort |uniq -c -f2 |awk '{if($1>5){print $0}}'
10 546 09:13:10 157.15.14.19
But, the code is so badly, It will be optimization.

awk -v Interval=5 -v Trig=5 -F '[[:blank:]]*|:' '
{
# using format log
# 157.15.14.19 - - 06 Sep 2016 09:13:10 +0300 "GET /index.php?id=1 HTTP/1.1" 200 16977 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
# $1 2 3 4 5 6 7 8 9 10 11 ...
ThisTime = $7 * 60 + $8
#if new cycle (so this line is not in the cycle)
if ( ThisTime > ( LastTic + Interval ) ) {
# check and print last cycle hit
for( IP in IPCounts) if ( IPCounts[ IP] > Trig) print LastTime " " IP " : " IPCounts[ IP]
# reset reference
split( "", IPCounts)
LastTime = $4 " " $5 " " $6 " " $7 ":" sprintf( "%2d", ( $8 - ( $8 % Interval) )) ":00"
LastTic = $7 * 60 + ( $8 - ( $8 % Interval) )
}
# add this line to new cycle
IPCounts[ $1]++
}
END {
# print last cycle
for( IP in IPCounts) if ( IPCounts[ IP] > Trig) print LastTime " " IP " : " IPCounts[ IP]
}
' YourFile
# for format of log
# op.g.cc 124.145.36.121 - - [21/Nov/2016:03:38:02 +0800] ==> 172.11.0.238:80 "POST ...
# $1 2 3 4 5 6 7 8 9 10 11 ...
# change:
# $7 by $6, $8 by $7
# LastTime = $5 ":" $6 ":" sprintf( "%2d", ( $7 - ( $7 % Interval) )) ":00 +800]"
# IPCounts[ $2]++
Note:
work quick and dirty for time selection (you mention 1 log per day). If more precision is needed, use mkftime to use real epoch time reference
Trig is the count trigger level (5 times) and Interval is the time of the cycle (5 minutes)

Webapp on Tomcat not responding

I have a installed Tomcat7 on my Windows Server. And I have a war-file to deploy Java application with REST to my Tomcat. I have no problems to go to Application Manager and to deploy my app. But I have a problem to get response from that app. Previously it was install on another Tomcat server and it worked fine. I looked inside logs and found only this
10.10.1.32 - - [23/Feb/2016:12:40:42 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /tomcat.css HTTP/1.1" 200 5926
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /tomcat.png HTTP/1.1" 200 5103
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /bg-middle.png HTTP/1.1" 200 1918
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /bg-nav.png HTTP/1.1" 200 1401
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /bg-button.png HTTP/1.1" 200 713
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /asf-logo.png HTTP/1.1" 200 17811
10.10.1.32 - - [23/Feb/2016:12:40:45 +0200] "GET /bg-upper.png HTTP/1.1" 200 3103
10.10.1.32 - - [23/Feb/2016:12:40:46 +0200] "GET /favicon.ico HTTP/1.1" 200 21630
10.10.1.32 - - [23/Feb/2016:12:40:50 +0200] "GET /manager/html HTTP/1.1" 401 2538
10.10.1.32 - sa [23/Feb/2016:12:40:55 +0200] "GET /manager/html HTTP/1.1" 200 14084
10.10.1.32 - sa [23/Feb/2016:12:40:55 +0200] "GET /manager/images/tomcat.gif HTTP/1.1" 200 2066
10.10.1.32 - sa [23/Feb/2016:12:40:55 +0200] "GET /manager/images/asf-logo.gif HTTP/1.1" 200 7279
10.10.1.32 - - [23/Feb/2016:12:42:12 +0200] "GET /uniteh-bau/rest/settings/setServerName/tsrv HTTP/1.1" 404 -
10.10.1.32 - - [23/Feb/2016:13:01:20 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /tomcat.css HTTP/1.1" 200 5926
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /tomcat.png HTTP/1.1" 200 5103
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /bg-nav.png HTTP/1.1" 200 1401
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /bg-upper.png HTTP/1.1" 200 3103
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /bg-middle.png HTTP/1.1" 200 1918
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /asf-logo.png HTTP/1.1" 200 17811
10.10.1.32 - - [23/Feb/2016:13:01:25 +0200] "GET /bg-button.png HTTP/1.1" 200 713
10.10.1.32 - - [23/Feb/2016:13:01:48 +0200] "GET /uniteh-bau/rest/settings/info HTTP/1.1" 404 -
10.10.1.32 - - [23/Feb/2016:14:06:56 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:14:08:41 +0200] "GET /uniteh-bau/rest/settings/setServerName/tsrv HTTP/1.1" 404 -
10.10.1.32 - - [23/Feb/2016:14:55:20 +0200] "GET / HTTP/1.1" 200 11418
10.10.1.32 - - [23/Feb/2016:14:55:30 +0200] "GET /uniteh-bau/rest/settings/setServerName/tsrv HTTP/1.1" 404 -
I use internet browser to test my app. But the only thing I can see is a blank page. In the logs all my requests are marked with 404 in the end of log. Did I something miss?

Those path's are all relative to the root (/) of your server. Tomcat doesn't work like that - you can see those three requests to /manager/ result in status 200.
Likewise, your .war is installed as a webapp under a certain name and all requests need to be relative to that webapp's name:
in that case, all requests must go to https://myserver.com:port/myWar/*
The issue could be caused if you used an apache httpd in front of the Tomcat which rewrote URLs and your links/bookmarks still point to the root-relative paths.
TL;DR: just go to the manager app and click on the link to your application.

Summing downloaded data by IP addresses

I have this file:
2001:778:0:1::21 - - [16/Sep/2011:12:30:46 +0300] "GET / HTTP/1.1" 200 44
2001:778:0:1::21 - - [16/Sep/2011:12:30:46 +0300] "GET /favicon.ico HTTP/1.1" 200 1406
2001:778:0:1::21 - - [16/Sep/2011:12:32:15 +0300] "GET / HTTP/1.1" 200 66643
88.222.10.7 - - [17/Sep/2011:23:39:25 +0300] "GET / HTTP/1.1" 200 66643
88.222.10.7 - - [17/Sep/2011:23:39:25 +0300] "GET /favicon.ico HTTP/1.1" 200 1406
88.222.10.7 - - [18/Sep/2011:13:45:39 +0300] "GET / HTTP/1.1" 304 -
88.222.10.7 - - [19/Sep/2011:05:47:35 +0300] "GET / HTTP/1.1" 200 66643
88.222.10.7 - - [19/Sep/2011:05:47:36 +0300] "GET /favicon.ico HTTP/1.1" 200 1406
121.141.172.40 - - [19/Sep/2011:20:32:07 +0300] "CONNECT 64.12.202.43:443 HTTP/1.0" 405 235
And I have IP addresses data (last number in each line), for example 44, 1406, 66643, 6664, .....
I want to sum all data that belongs to same IP address. So my results should be:
2001:778:0:1::21 68093 (44+1406+66643)
88.222.10.7 136098 (66643+1406+66643+1406)
121.141.172.40 235 (235)
Is is possible to do that in shell?

This should give you the desired output:
# awk 'BEGIN{FS=" "}{arr[$1]+=$10}END{for(i in arr) print i,arr[i]}' file
88.222.10.7 136098
2001:778:0:1::21 68093
121.141.172.40 235

"Caught SIGWINCH, shutting down gracefully" error in Openshift

I'm running Laravel in openshift server (Lamp stack) . My server was offline for past two days. Then, I looked into the error log, It says caught SIGWINCH, shutting down gracefully. But, It didn't give me more details. How to find the reason for the shutdown. I have attached the error log with this question.
- - - [13/Dec/2014:12:06:34 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (Red Hat) (internal dummy connection)"
- - - [13/Dec/2014:12:06:34 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (Red Hat) (internal dummy connection)"
[Sat Dec 13 12:06:34 2014] [notice] caught SIGWINCH, shutting down gracefully
[Mon Dec 15 01:15:31 2014] [notice] SELinux policy enabled; httpd running as context
unconfined_u:system_r:openshift_t:s0:c6,c126
[Mon Dec 15 01:15:31 2014] [notice] Digest: generating secret for digest authentication ...
[Mon Dec 15 01:15:31 2014] [notice] Digest: done
[Mon Dec 15 01:15:31 2014] [notice] Apache/2.2.15 (Unix) configured -- resuming normal operations
- - - [15/Dec/2014:01:15:32 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:38 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:41 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:44 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:47 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:49 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:52 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:55 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:15:58 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:16:04 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:16:07 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:16:10 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
- - - [15/Dec/2014:01:16:14 -0500] "GET / HTTP/1.0" 302 268 "-" "-"
(98)Address already in use: make_sock: could not bind to address 127.12.49.129:8080
no listening sockets available, shutting down
Unable to open logs
Can anyone please help in finding the reason for the error ?
Thanks in advance.

SIGWINCH is also used by some services that need to restart Apache when rotating logs, nightly jobs, etc.
That doesn't explain the problem you're currently having, but I think it might be something else running on your server that's restarting Apache – or it might not be related to your problem at all.

Resources