Following up on this question as the answers are now 5 years old: Can I detect web app attacks by viewing my Apache log file?
My boss has tasked me with analyzing our access.log and error.log files after an attempted mySQL injection attack last week. It's pretty obvious when viewing the logs by hand, but we'd like something automated (either a service or a task that can be run regularly through cron) that will detect attack patterns.
We're using nginx, but that shouldn't matter because the logs are in standard format. Any suggestions on programs that do this type of log analysis? I don't care about standard traffic analysis that programs such as Webalyzer do.
Further, for those of you who do this type of attack detection and analysis, what patterns are you looking for in your log files other than just a larger than normal amount of traffic?
Also, do you look at both the access.log and error.log or just one?