python 进行nginx日志分析（分析出异常刷新某API接口的IP）

发现有IP对我们API进行大量的数量采集，所以写这个脚本来获取哪些IP只访问单一接口，却不访问其它接口，一般这样的行为，是异常的。
分析前端负载nginx的日志，日志格式如下：

114.249.4.96 - - [15/Jan/2016:23:59:47 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 48 "-" "-" "-"
222.128.172.215 - - [15/Jan/2016:23:59:47 +0800] "POST /api2/button_log/ HTTP/1.1" 200 48 "-" "-" "-"
110.72.182.177 - - [15/Jan/2016:23:59:47 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 48 "-" "-" "-"
58.63.7.92 - - [15/Jan/2016:23:59:48 +0800] "POST /api2/getgoodsdetail/ HTTP/1.1" 200 877 "-" "-" "-"
117.177.160.218 - - [15/Jan/2016:23:59:48 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 82 "-" "-" "-"
117.177.160.218 - - [15/Jan/2016:23:59:48 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 82 "-" "-" "-"
163.142.55.76 - - [15/Jan/2016:23:59:48 +0800] "POST /api2/getuserinfo/ HTTP/1.1" 200 546 "-" "-" "-"
114.112.89.34 - - [15/Jan/2016:23:59:48 +0800] "POST /api2/getgoodslist/ HTTP/1.1" 200 9532 "-" "-" "-"
58.61.225.110 - - [15/Jan/2016:23:59:49 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 82 "-" "-" "-"
114.244.195.163 - - [15/Jan/2016:23:59:49 +0800] "POST /api2/getgoodslist/ HTTP/1.1" 200 47834 "-" "-" "-"
114.244.195.163 - - [15/Jan/2016:23:59:49 +0800] "POST /api2/getgoodslist/ HTTP/1.1" 200 47834 "-" "-" "-"
114.112.89.34 - - [15/Jan/2016:23:59:49 +0800] "POST /api2/getgoodslist/ HTTP/1.1" 200 9532 "-" "-" "-"
125.39.170.239 - - [15/Jan/2016:23:59:49 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 30 "-" "-" "-"
110.84.169.57 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 48 "-" "-" "-"
42.81.46.142 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 48 "-" "-" "-"
110.84.169.57 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 82 "-" "-" "-"
117.136.40.148 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/getgoodslist/ HTTP/1.1" 200 1024 "-" "-" "-"
117.12.243.251 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 48 "-" "-" "-"
117.12.243.251 - - [15/Jan/2016:23:59:50 +0800] "POST /api2/realtimetrack/ HTTP/1.1" 200 82 "-" "-" "-"
 
python分析代码：
#!/usr/bin/env python
#coding:utf8
__author__ = '戴儒锋'
"""
检测nginx日志的访问IP是是否有程序来抓取接口信息

规则：程序分析  只访问getgoodslist 接口，而不访问其它的接口IP
"""

log_path = '/home/logs/nginx/access.log'

#定义IP访问每个URL的次数的空字典,如{'10.0.0.1':{'/api2/getgoodslist':15}}
ip_info = {}
with open(log_path,'r') as f:
    for line in f.readlines():
        #获取IP地址
        ip = line.split()[0]
        #获取访问接口URL
        url = line.split()[6]
        #如果字典里没有该IP，则添加该IP为KEY值，URL为二级字典KEY，访问数=1
        #如果有该IP但在二级字典中没有该URL，则该URL设为二级字典KEY，访问数为1
        #如果有该IP，且在二级字典中有该URL，则把该URL的值+1
        if ip not in ip_info:
            ip_info[ip] = {url:1}
        else:
            if url not in ip_info[ip]:
                ip_info[ip][url] = 1
            else:
                ip_info[ip][url] += 1

#遍历结果，把IP只访问小于3个接口，并且访问getgoodslist接口超过100次的打印出来  

for ip,value in ip_info.items():
    if len(value) < 3 and value.get('/api2/getgoodslist/',0) > 100:
        print "IP:%s    URL-COUNT:%s" %(ip,value)
 
分析结果：

IP:58.63.7.92                URL-COUNT:{'/api2/getgoodsdetail/': 3383, '/api2/getgoodslist/': 550}
IP:58.63.4.71                URL-COUNT:{'/api2/getgoodsdetail/': 4499, '/api2/getgoodslist/': 275}
IP:118.122.120.146      URL-COUNT:{'/api2/getgoodslist/': 443}
IP:114.244.195.163      URL-COUNT:{'/api2/getgoodslist/': 568}
IP:124.72.23.174          URL-COUNT:{'/api2/getgoodslist/': 132}
IP:183.30.79.59            URL-COUNT:{'/api2/getgoodslist/': 322, '/api2/realtimetrack/': 6}
IP:61.140.50.120          URL-COUNT:{'/api2/getgoodslist/': 1402}
IP:171.221.25.108        URL-COUNT:{'/api2/getgoodslist/': 1136}