PyDog4Apache

An Apache web logs sneaker — 2016 / 2026 — by psy.

It sends 'dogs' to sniff your Apache access logs and, for every visitor IP, queries its WHOIS record looking for keywords in the network description — the organization that owns that IP range.

Python 3 GPLv3
Download .tar.gz ❮❯ GOGS ❮❯ GITHUB
root@server: ~/pydog4apache
$ python3 pydog4apache -v -n root@localhost

 ____        ____              _  _     _                     _
|  _ \ _   _|  _ \  ___   __ _| || |   / \   _ __   __ _  ___| |__   ___
| |_) | | | | | | |/ _ \ / _` | || |_ / _ \ | '_ \ / _` |/ __| '_ \ / _ |
|  __/| |_| | |_| | (_) | (_| |__   _/ ___ \| |_) | (_| | (__| | | |  __/
|_|    \__, |____/ \___/ \__, |  |_|/_/   \_\ .__/ \__,_|\___|_| |_|\___|
       |___/             |___/              |_|

[Info] Sending 'dogs' to sniff 'logs'... [Waiting!]
========================================
[Info] Analyzing: /var/log/apache2/access.log
    |-> IP Found: 160.79.104.10
    |-> WHOIS Description: ANTHROPIC, PBC
    |-> IP Found: 66.249.66.1
    |-> WHOIS Description: GOOGLE LLC
========================================
160.79.104.10 -> [ ANTHROPIC ] | ANTHROPIC, PBC | 29/Jun/2026:11:42:05
66.249.66.1  -> [ GOOGLE ] | GOOGLE LLC | 29/Jun/2026:11:42:07

----------------------
[Info] Report saved. Email sent to: root@localhost

What it is

Discover who is really behind your visitors

This way you can —automagically— discover who is really behind your visitors: governments, police, military, intelligence, banks, universities, AI crawlers (such as Anthropic), cloud/hosting providers, datacenters... by matching their WHOIS organization against the words listed on keywords.txt.

You can set several folders of logs on sources.txt to —sneak— all your projects at once (compressed .gz logs are also analyzed). Finally you can generate a report with the results or send them to a list of email recipients like an alert.

Who it is for

For people who want to know who is watching

🖥️

Sysadmins & self-hosters

See which organizations hit your boxes, not just anonymous IPs.

🛡️

Privacy & infosec researchers

Spot government, intelligence or law-enforcement ranges in your traffic.

Bloggers & activists

Detect surveillance, scraping or unwanted institutional attention.

📰

Journalists

See who is probing your site — institutions, state-linked actors or sources.

🤖

AI-wary site owners

Catch AI crawlers (Anthropic & friends) harvesting your content.

🔎

OSINT & pentesters

Attribute visits to the real owning organization for recon and reporting.

🛰️

SOC & CERT teams

Triage incidents by attributing source IPs to their owning organization.

🌐

Webmasters & SEOs

Tell genuine visitors from crawlers, scrapers and bots hitting your site.

How it works

From a log line to a name

Sniff your access logs

Sends 'dogs' to read every folder listed on sources.txt, compressed .gz logs included.

WHOIS every visitor IP

For every visitor IP it queries its WHOIS record to get the network description — the organization that owns that IP range.

Match your keywords

Looks for the specific keywords listed on keywords.txt inside that network description.

Report or alert

Generate a report with the results or send them to a list of email recipients like an alert.

Install

Up and running in a minute

It requires Python 3 and the ipwhois library.

Debian / Ubuntubash
sudo apt-get install python3-pip
pip3 install ipwhois --user

Or pin it with pip3 install -r docs/requirements.txt --user.

Get it & runbash
wget https://pydog4apache.03c8.net/pydog4apache/pydog4apache-0.3.tar.gz
tar xzf pydog4apache-0.3.tar.gz
cd pydog4apache-0.3
python3 pydog4apache -v

Configure

  • sources.txt — one folder per line with the logs to analyze (default: /var/log/apache2).
  • keywords.txt — one keyword per line to look for in the WHOIS description (case-insensitive, substring).

Options

pydog4apache --helpusage
-u, --update       check for latest stable version
-v, --verbose      active verbose output
-f, --flush-cache  delete whois cache (re-query all IPs)
-r FILE            generate a report file with the 'visitants'
-n EMAILS          notify via email (a@x.net,b@y.org,...)

Examples

  • Verbose output: python3 pydog4apache -v
  • Write a report: python3 pydog4apache -r visitants.txt
  • Email alert: python3 pydog4apache -n root@localhost
  • Combine: python3 pydog4apache -v -r visitants.txt -n you@mail.org
  • Re-query every IP: python3 pydog4apache --flush-cache

Web server setup

Point it at your Apache or Nginx logs

PyDog4Apache parses access logs whose line begins with the client IP — the standard combined format on both servers.

Apache2

In /etc/apache2/apache2.conf:

/etc/apache2/apache2.confapache
LogFormat "%h %l %u %t \"%r\" %>s %O" combined
CustomLog ${APACHE_LOG_DIR}/access.log combined

Then point sources.txt to:

sources.txtconf
/var/log/apache2

Nginx

In the http{} block of /etc/nginx/nginx.conf:

/etc/nginx/nginx.confnginx
log_format combined '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log combined;

Then point sources.txt to:

sources.txtconf
/var/log/nginx

Download

Get PyDog4Apache

Download tarball ❮❯ GOGS ❮❯ GITHUB

Released under the GNU GPLv3. Clone from Git to use the built-in --update.