CompTIA CySA+ (CS0-002) — Question 193

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs. The analyst observes the following response codes:

• 20% of the logs are 403
• 20% of the logs are 404
• 50% of the logs are 200
• 10% of the logs are other codes

The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?

Answer options

• A. cat access_log |grep " 403 "
• B. cat access_log |grep " 200 "
• C. eat access_log |grep " 100 "
• D. cat access_log |grep " 404 "
• E. cat access_log |grep " 204 "

Correct answer: B

Explanation

The correct answer is B because a 200 response code indicates successful requests, which are likely the source of the high log volume. Options A, D, and E focus on error codes (403, 404, 204), which do not represent successful accesses, while option C contains a typo in the command ('eat' instead of 'cat'), making it invalid.