Answer the question
In order to leave comments, you need to log in
V
V
Vadim Timoshenko2019-01-09 19:05:15
Vadim Timoshenko, 2019-01-09 19:05:15
How to read access.log log files?
The access.log log file in the /var/log/nginx/ folder fills up very quickly.
I don't quite understand how to read the log file. Here are some lines:
190.2.143.139 - - [09/Jan/2019:18:52:39 +0300] "GET http://paxtonguiw14703.blogstival.com/?s=ortuez HTTP/1.1" 200 8780 "-" "Mozilla/5.0 (iPhone9,4; U; CPU iPhone OS 10_0_1 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/14A403 Safari/602.1"
5.9.89.80 - - [09/Jan/2019:18:52:39 +0300] "GET http://89.43.64.58:5878/safrantv/default.stream/playlist.m3u8?dv?V39E5K3CKGRIN3PZX6 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)"
5.9.89.80 - - [09/Jan/2019:18:52:39 +0300] "GET http://shaiyaresurgence.com/en/?2CWP4398K93SJ49YTH HTTP/1.1" 499 0 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET https://shaiya-immortal.com/en/?AGNC9FVFEB0YW9JI5Y HTTP/1.1" 499 0 "-" "Opera/12.0(Windows NT 5.2;U;en)Presto/22.9.168 Version/12.00"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://89.43.64.58:5878/safrantv/default.stream/playlist.m3u8?dv?OHPMS0189ALA38QU8F HTTP/1.1" 499 0 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://89.43.64.58:5878/safrantv/default.stream/playlist.m3u8?dv?VM2LLYOI7I6AVJUZU3 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET https://www.baidu.com/link?url=IoWGYpKKMxUWnB70_bAN-rbbEq3e1IqQ8D54czB-JFG HTTP/1.1" 499 0 "-" "Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://shaiyaresurgence.com/en/?2MA7M9GFSXJ8Q3M7IV HTTP/1.1" 499 0 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET https://shaiya-immortal.com/en/?X52D93PP826SEW0LME HTTP/1.1" 499 0 "-" "Opera/12.0(Windows NT 5.2;U;en)Presto/22.9.168 Version/12.00"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://89.43.64.58:5878/safrantv/default.stream/playlist.m3u8?dv?H23POYJDRJVUT18RFK HTTP/1.1" 499 0 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://89.43.64.58:5878/safrantv/default.stream/playlist.m3u8?dv?2GKY8JYDX9JJ08CVL7 HTTP/1.1" 499 0 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET https://www.baidu.com/link?url=IoWGYpKKMxUWnB70_bAN-rbbEq3e1IqQ8D54czB-JFG HTTP/1.1" 499 0 "-" "Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00"
5.9.89.80 - - [09/Jan/2019:18:52:40 +0300] "GET http://shaiyaresurgence.com/en/?DT9FBEYS4L71I1P8OS HTTP/1.1" 499 0 "-" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"There are no URLs of my site or ip addresses in the lines. As I understand it, a GET request is being made to one of the addresses above. But what about my server? How to stop it? =)
Due to the rapid increase in logs, disk space is wasted.
I tried configuring logrotate for nginx like this. I put a limit on 5M, but there is no sense. After overcoming the size of 5M, the log continues to grow, and does not turn into an archive.
/var/log/nginx/*.log {
size=5M
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
} 4 answer(s)
@xoo
@dxp
in fact - 99% of this is a request from the bot:
* ip address 5.9.89.80 - from the Hetzner hosting pool
* 499 - the bot did not wait for the server response and immediately closed the connection
* and the requests are incorrect (if the standard log format was not changed) - there should not be a protocol and a host, that is, instead of
the easiest thing to ban ip on the firewall
about logrotate:
Usually it runs only once a day (the script is in /etc/cron.daily) and nothing will happen immediately after reaching 5M. Moreover, the delaycompress parameter says that the first copy (*.log.1) will not be archived, only the second one will be compressed.
if you want, you can move /etc/cron.daily/logrotate to /etc/cron.hourly and logrotate will run every hour
@inside22
Cloudflare will solve all your problems for free :=)
X
xoo, 2019-01-09 @xoo
It looks like a proxy scanner, given the GET requests to other sites
Here a person has the same problem
D
Dmitry, 2019-01-17 @dxp
logs are easy to read: 5.9.89.80- client ip - - - http authorization data [09/Jan/2019:18:52:40 +0300]- request date and time
"GET http://shaiyaresurgence.com/en/?DT9FBEYS4L71I1P8OS HTTP/1.1"499- the server response code 0- the number of bytes transferred from the server "-"- http referer"Mozilla/5.0 (BlackBerry; U; BlackBerry 9850; en) AppleWebKit/534.11+ (KHTML, like Gecko) Version/7.0.0.254 Mobile Safari/534.11+"in fact - 99% of this is a request from the bot:
* ip address 5.9.89.80 - from the Hetzner hosting pool
* 499 - the bot did not wait for the server response and immediately closed the connection
* and the requests are incorrect (if the standard log format was not changed) - there should not be a protocol and a host, that is, instead of
"GET http://shaiyaresurgence.com/en/?DT9FBEYS4L71I1P8OS HTTP/1.1""GET /en/?DT9FBEYS4L71I1P8OS HTTP/1.1"the easiest thing to ban ip on the firewall
about logrotate:
Usually it runs only once a day (the script is in /etc/cron.daily) and nothing will happen immediately after reaching 5M. Moreover, the delaycompress parameter says that the first copy (*.log.1) will not be archived, only the second one will be compressed.
if you want, you can move /etc/cron.daily/logrotate to /etc/cron.hourly and logrotate will run every hour
G
German Zvonchuk, 2019-01-18 @inside22
Vadim Timoshenko can easily connect Cloudflare.com and forget about this headache.
Pay attention to the requests, they are all with status 499, you are stupidly attacked to load your server.
499 CLIENT CLOSED REQUEST
A non-standard status code introduced by nginx for the case when a client closes the connection while nginx is processing the request.
Cloudflare will solve all your problems for free :=)
Similar questions
W
N
A
A
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question