---

Disclaimer

This repository is intended for cybersecurity research and educational purposes only. All log data used in this project is for learning and analysis within authorized environments.

---

Apache Web Server Log Analysis Lab Project

This project demonstrates how to analyze Apache web server logs to detect suspicious activity using Linux command-line tools.

The lab simulates automated scanning and brute-force style web requests and investigates the resulting logs to identify abnormal behavior.

This project demonstrates practical Security Operations Center (SOC) analyst skills, including:

• Web server log analysis
• Detection of suspicious request patterns
• Identifying reconnaissance activity
• Writing investigation case notes

---

Project Objectives

This lab focuses on learning how to:

• Understand how web server logs record user activity
• Generate realistic web traffic and suspicious requests
• Extract logs from a server
• Analyze logs using Linux command-line tools
• Document investigation findings

---

🧪 Lab Environment

Component	Purpose
Kali Linux VM	Web server generating logs
Kali Purple VM	Log analysis system
Apache Web Server	Generates web access logs
Linux CLI Tools	Log analysis

Both systems run as virtual machines on the same NAT network.

---

Step 1 — Verify Network Connectivity

Find the IP address of both systems:

ip a

Kali Linux

Kali Purple

Test communication between the two machines:

ping <LINUX_IP>

Successful replies confirm that the lab systems can communicate.

---

Step 2 — Install Apache Web Server

On the Kali Linux VM:

Update & upgrade the package lists:

sudo apt update && sudo apt upgrade

Install Apache:

sudo apt install apache2 -y

Start the Apache web server:

sudo systemctl start apache2
sudo systemctl enable apache2

Verify Apache is running:

sudo systemctl status apache2

You can also test via browser:

http://localhost

---

Step 3 — Locate Apache Log Files

Apache automatically records activity in log files.

Check the log directory:

ls /var/log/apache2/

Important logs include:

File	Purpose
access.log	Records all web requests
error.log	Records server errors

The access.log file is the primary source for analyzing web traffic.

---

Step 4 — Generate Suspicious Traffic

To simulate malicious behavior, repeated requests are generated from the Kali Purple VM.

Run the following command:

for i in {1..70}; do curl -s http://<KALI_LINUX_IP>/login > /dev/null; done

> /dev/null avoids terminal clutter

Explanation:

• The /login page does not exist.
• The server returns HTTP 404 (Not Found).
• Repeated requests simulate automated scanning or brute-force attempts.

This creates realistic log entries in the Apache access logs.

---

Step 5 — Confirm Logs Were Generated

On the Kali Purple, view the access log:

less /var/log/apache2/access.log

You should see entries with 404 status codes, confirming that requests were logged.

---

Step 6 — Transfer Logs for Analysis

From the Kali Purple VM, retrieve the logs:

scp kali@<KALI_LINUX_IP>:/var/log/apache2/access.log ~/apache_access.log

Verify the file was transferred:

ls ~

You should see:

apache_access.log

---

Step 7 — Begin Log Analysis

In Kali Purple VM

Count Total Requests

wc -l apache_access.log

This shows the total number of recorded web requests.

---

Identify Top Source IP Addresses

awk '{print $1}' apache_access.log | sort | uniq -c | sort -nr | head

This identifies the most frequent visitors.

---

Count HTTP 404 Errors

grep " 404 " apache_access.log | wc -l

Large numbers of 404 responses often indicate:

• directory brute forcing
• automated scanning
• reconnaissance activity

---

Identify Login-Related Requests

grep -i "login" apache_access.log

This helps detect targeted attacks against login pages.

---

Check Request Timing Patterns

grep -i "login" apache_access.log | head

Requests occurring within seconds of each other may indicate automated scripts.

---

Step 8 — Investigation Case Notes

Example investigation notes:

Date: 25-Feb-2026
Analyst: <Name>

Server IP: 192.168.217.128
Log Source: Apache access.log

Observations

• 71 log entries analyzed.
• All requests returned HTTP 404 Not Found.
• Repeated requests targeted the /login endpoint.
• Requests originated primarily from IP address 192.168.217.129.
• Requests occurred within seconds of each other.
• User-agent string observed: curl/8.18.0.

---

Example Apache Log Entry Breakdown

Below is an example of a typical Apache access log entry:

192.168.217.129 - - [06/Mar/2026:16:41:57 +0530] "GET /login HTTP/1.1" 404 478 "-" "curl/8.18.0"

Each part of the log entry provides useful information for investigation.

Field	Description
192.168.217.129	Source IP address of the client
- -	User identity information (often unused)
[06/Mar/2026:16:41:57 +0530]	Timestamp of the request
GET	HTTP request method
/login	Requested resource or endpoint
HTTP/1.1	HTTP protocol version
404	HTTP status code returned by the server
478	Size of the response returned by the server
"-"	Referrer (page that directed the request)
curl/8.18.0	User-agent identifying the client software

---

⚠️ Security Assessment

Indicator	Finding
High request frequency	Detected
Repeated endpoint targeting	/login
HTTP response codes	404 errors
Source IP concentration	Single host
User agent	curl automation

Severity assessment:

High

---

Key Skills Demonstrated

This project demonstrates:

• Web server log investigation
• Suspicious traffic pattern detection
• Linux log analysis techniques
• Incident documentation
• Evidence-based investigation

---