Mod_security audit_log analysis

egrep 'Host:'  audit_log | sort | uniq -c | sort -rn | sed "s/mod_security-message\: Access denied with code 412\. //g" > 

egrep 'mod_security-message'  audit_log | sort | uniq -c | sort -rn  | mod_security-message-sort.txt

egrep "^HTTP/" audit_log | sed  "s/HTTP\/[01].[019] //g" | sort | uniq > HTTPcodes-audit.txt

Check out what's being used in the access_log headers

cat httpd-access.log | awk '{print $7}' | sort |  uniq -c | sort -rn | less