apache_sitedown
This is an old revision of the document!
Step 1
did apache hit max clients? CentOS/RHL
1 |
grep -i maxc /var/log/httpd/error_log |
1 |
grep -i maxc /var/log/apache2/error_log |
Step 2
Did the server run out of memory and kill processes that killed a vital service? CentOS/RHL
1 |
egrep -i 'killed process|invoked oom' /var/log/messages |
1 |
egrep -i 'killed process|invoked oom' /var/log/syslog |
Summarise date and times the server ran out of memory (CentOS/RHEL):
1 |
zgrep -i 'killed process\|invoked oom' /var/log/messages* | awk '/Killed process/ {print $1, $2, $3}' | awk -F: '{print $2}' | uniq -c |
1 |
zgrep -i 'killed process\|invoked oom' /var/log/messages* | awk '/Killed process/ {print $1, $2, $11}' | awk -F: '{print $2}' | uniq -c | sort -k2,3 |
1 2 3 4 5 6 7 8 |
2 Apr 25 (driveclient)1 Apr 27 (driveclient)2 Apr 29 (driveclient)1 May 12 (driveclient)1 May 2 (driveclient)1 May 22 (driveclient)1 May 5 (driveclient)1 May 9 (driveclient) |
1 |
zgrep -i 'killed process\|invoked oom' /var/log/syslog* | awk '/Killed process/ {print $1, $2, $3}' | awk -F: '{print $2}' | uniq -c |
Step 3
Check to see if the website received traffic during the period of 'down time' Investigating a 'site down' issue. Best command to see check all log is:
1 |
cat /var/log/httpd/*access*log* | grep "27/Aug/2015:04:[3..5][0..9]" | awk {' print $1 '} | sort | uniq -c | sort -rn |
1 |
cat /var/log/httpd/*access*log* | grep "22/Aug/2015:04:[3-5]" | awk {' print $1 '} | sort | uniq -c | sort -n |
Checking old log files (compresses)
1 |
zcat /var/log/httpd/*access*log*.gz | grep "22/Aug/2015:04:[3..5][0..9]" | awk {' print $1 '} | sort | uniq -c | sort -n |
1 |
grep 24/Apr/2015:02:[3-6][0-9]:* /var/log/httpd/access_log | awk '{print "IPaddress", $1,"Time",$4, $9}' |
This will grep for:
date 24/April/2015 02:30 - 02:60
E.g:
1 2 3 4 |
IPaddress x.x.x.x Time 24/Apr/2015:02:36:01 200IPaddress x.x.x.x Time 24/Apr/2015:02:36:11 200IPaddress x.x.x.x Time 24/Apr/2015:02:36:11 200IPaddress x.x.x.x Time 24/Apr/2015:02:36:12 200 |
The following can summaries all of the IP addresses hitting the access logs during a certain date/time
1 |
grep "12/Jun/2015:12" access_log | awk {'print $1'} | sort | uniq -c | sort -n | tail -n 20 |
1 2 3 4 5 6 |
492 x.x.x.1497 x.x.x.15501 x.x.x.158504 x.x.x.19517 x.x.x.201518 x.x.x.122 |
See what a specific IP address is doing (access logs) during a specific date/time
1 |
grep "12/Jun/2015:12" access_log | grep x.x.x.11 | tail -n 20 |
1 2 3 4 |
x.x.x.11 - - [12/Jun/2015:12:43:05 +0500] "POST /newsite/stats/recording.php HTTP/1.1" 200 407 "-" "-"x.x.x.11 - - [12/Jun/2015:12:42:50 +0500] "POST /newsite/api2/index.php HTTP/1.1" 200 1238 "-" "Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 REQUESTED FROM: http://www.example.com/profolio/index.php?tabs=2§ion=add_property REF: http://www.example.com/profolio/index.php?tabs=2§ion=add_property API KEY:x.x.x.11 - - [12/Jun/2015:12:43:05 +0500] "POST /newsite/api/index.php HTTP/1.1" 200 3697 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 GTB5"x.x.x.11 - - [12/Jun/2015:12:43:06 +0500] "POST /newsite/api2/index.php HTTP/1.1" 200 766 "-" "Mozilla/5.0 (Windows NT 5.1; rv:18.0) Gecko/20100101 Firefox/18.0 REQUESTED FROM: http://www.example.com/profolio/includes/add_property_single.php? REF: http://www.example.com/profolio |
Following shows what IPs connected to the server during a time period, this can be used to see if the server was down at the time listed.
1 |
grep "16/Jun/2015:08:[0-2][0-9]:*" /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr |
The following command shows all IP addresses accessing all domains on the server for a specific date/time:
1 |
cat /var/www/vhosts/*/logs/*log | grep "20/Jul/2015:19" | awk {' print $1 '} | sort | uniq -c | sort -n |
apache_sitedown.1463991872.txt.gz · Last modified: 2024/05/23 07:26 (external edit)