I am currently trying to put together a regular expression but don't really know what I am doing. I am hoping that someone can give me a little help. Multiple unrecognized clients are frequently hitting my server trying to do some sort of exploit. Most likely it's the simple "script named as image" stuff, and fortunately DH's Apache configuration is recognizing this and logging 503 errors in my error.log
Here are examples of a couple entries in my error log...
What I want to do is grep through the error logs looking for "[client" and reading from there up until the first occurence of "]", or perhaps "] mod_security: Access denied with code 503" in order to locate just this type of error. Some of the IP addresses appear quite frequently and I would like to get a list of the unique IPs. Then I can do a count or something on them to identify ones that show up most frequently and possibly block them in my .htaccess file.
Keep in mind that I am a regex novice and this will probably be exceedingly simple for some of you.
I started with this: "grep '[client ' error.log" which worked, but it returned the entire line. Next I went on to "grep '[client ]*' error.log" which returned the entire line, and "grep '[client*]' error.log" which failed to return anything at all.
Am I headed in a useful direction or am I just completely off base here? Any input would be greatly appreciated.