A basic approach to analyzing a log when an attack broke out is to:
- Gather a table of unique IPs, number of requests made by IP, sorted by request count
- For each “frequent visitor” / attacker, gather unique requests & sort either chronologically or by count
If the visitor is an attacker, the list of unique requests may reveal how he enumerated and compromised the system.