Mod_security audit_log analysis
egrep 'Host:' audit_log | sort | uniq -c | sort -rn | sed "s/mod_security-message\: Access denied with code 412\. //g" >
egrep 'mod_security-message' audit_log | sort | uniq -c | sort -rn | mod_security-message-sort.txt
egrep "^HTTP/" audit_log | sed "s/HTTP\/[01].[019] //g" | sort | uniq > HTTPcodes-audit.txt
Check out what's being used in the access_log headers
cat httpd-access.log | awk '{print $7}' | sort | uniq -c | sort -rn | less