Probably the tinyest one yet useful, at least to me; here is a tiny perl script used to quickly check what script kiddies are doing on my Nginx web server:
#!/usr/bin/perl -n
/"((GET|HEAD|POST) [^"]+)"/ and $R=$1;
/client: ([^,]+)/ and $C=$1,$cnt{$C}++;
($C && $R) and print"$C\t$R ($cnt{$C})\n"
Executed with the error log file as argument, it gives something like:
23.20.103.233 GET /clientaccesspolicy.xml HTTP/1.1 (1)
114.40.35.173 GET /phpTest/zologize/axa.php HTTP/1.1 (1)
114.40.35.173 GET /phpMyAdmin/scripts/setup.php HTTP/1.1 (2)
114.40.35.173 GET /pma/scripts/setup.php HTTP/1.1 (3)
114.40.35.173 GET /myadmin/scripts/setup.php HTTP/1.1 (4)
184.72.184.113 GET /clientaccesspolicy.xml HTTP/1.1 (1)
46.165.220.215 GET /vtigercrm/vtigerservice.php HTTP/1.1 (1)
54.80.66.122 GET /clientaccesspolicy.xml HTTP/1.1 (3)
202.53.8.82 GET /ossim/session/login.php HTTP/1.1 (1)
23.22.216.162 GET /clientaccesspolicy.xml HTTP/1.1 (1)
178.63.114.68 HEAD /.psi/profiles/default/config.xml HTTP/1.1 (1)
178.63.114.68 HEAD /.purple/accounts.xml HTTP/1.1 (2)
178.63.114.68 HEAD /dsa HTTP/1.1 (3)
178.63.114.68 HEAD /.htpasswd HTTP/1.1 (4)
178.63.114.68 HEAD /.htpasswd~ HTTP/1.1 (5)
54.204.131.75 GET /clientaccesspolicy.xml HTTP/1.1 (1)
And yes, this is a real excerpt from my current logfile.