How to analyze Apache log for security with Scalp

Scalp! is a log analyzer for the Apache web server that looks for security problems. It reads the Apache log and perform log analysis for possible attacks against rulesets provided by PHP-IDS project. It is available for download from GitHub.

neuroo/apache-scalp

Scalp! is currently written in Python though the writer claims he’s now working on C++ version of it. Current Python can only analyze a maximum of 10000 lines of log, and seems to be a bit slow. The C++ version is aimed to overcome the problems.

When being run without any parameters, Scalp will look for access_log and default_filter.xml files in the current directory, and produce the report to the standard output. access_log is the Apache log file, and default_filter.xml is the filter rules available from the PHPIDS project. Running the program as the following will use the Apache log file at /var/log/apache2/access.log and the PHPIDS ruleset from ~/default_filter.xml;

$ python scalp.py --log /var/log/apache2/access.log --filters ~/default_filter.xml

To overcome the 10000 lines limitation of the program, a Linux program called split can be run as in the example below as a log splitter, and Scalp! is then run against all the splitted log;

$ split -l 10000  /var/log/apache2/access.log