Analyze Apache log for security with Scalp

Scalp! is a log analyzer for the Apache web server that looks for security problems. It reads the Apache log and perform log analysis for possible attacks against rulesets provided by PHP-IDS project. It is available for download from GitHub.

Scalp! is currently written in Python though the writer claims he’s now working on C++ version of it. Current Python can only analyze a maximum of 10000 lines of log, and seems to be a bit slow. The C++ version is aimed to overcome the problems.

When being run without any parameters, Scalp will look for access_log and default_filter.xml files in the current directory, and produce the report to the standard output. access_log is the Apache log file, and default_filter.xml is the filter rules available from the PHPIDS project. Running the program as the following will use the Apache log file at /var/log/apache2/access.log and the PHPIDS ruleset from ~/default_filter.xml;

$ python scalp.py --log /var/log/apache2/access.log --filters ~/default_filter.xml

To overcome the 10000 lines limitation of the program, a Linux program called split can be run as in the example below as a log splitter, and Scalp! is then run against all the splitted log;

$ split -l 10000  /var/log/apache2/access.log

Sign up for Complete Apache HTTP Server Course and many other great courses on Udemy to learn more.

Complete Apache HTTP Server Course

Master Apache 2.4 web server and start on-demand career!

Written by Mohd Shakir Zakaria.

Last updated on 2019-02-12.