HostOnNet Blog

How to analyze Apache access logs using Scalp

What is Scalp ??


Scalp! is a log analyzer for the Apache web server that aims to look for security problems. The main idea is to look through huge log files and extract the possible attacks that have been sent through HTTP/GET (By default, Apache does not log the HTTP/POST variable).

Installing Scalp On Your PC

mkdir ~/programs
cd ~/programs

That will install scalp on your PC in ~/programs folder. You don’t need to do it again as long as you don’t delete these 2 files.

Lets analyze apache log for a web site. Lets say you downloaded to your “Downloads” folder.

Lets uncompress the log file.

cd ~/Downloads

Run Scalp, that will go through Apache access log and generate report.

python ~/programs/  -f ~/programs/default_filter.xml -o ./scalp-output --html -l

This will create report in HTML format inside scalp-output folder. Open it in browser, go though the results.


$ python ~/programs/  -f ~/programs/default_filter.xml -o ./scalp-output --html -l
The directory %s doesn't exist, scalp will try to create it
Loading XML file '/home/melbin/programs/default_filter.xml'...
Processing the file ''...
Scalp results:
   Processed 26134 lines over 26134
   Found 758 attack patterns in 11.480543 s
Generating output in ./scalp-output/*

Posted in Apache