For a while we've been trying to determine why the WPE keeps shutting down on our OS X 10.11.2, FileMaker Server 14.0.4 and SuperContainer 2.93 deployment and this week I'm not sure if we stumbled on something or not.
After a WPE crash, the database was closed via the FM Admin Console, a few minutes were spent on other tasks and then the server was restarted. Looking at the wpe.log after the restart we noticed hundreds of error 802 (Unable to open file) recorded during the time database were closed.
The error record referenced the internal IP of the FMS (single machine deployment) and the router IP (outside world address) and the following: "/fmi/xml/fmresultset.xml?-db=Auction_DB&-lay=web_c_detail_05&-find&-recid=208376"
Within the span of 7 seconds, 245 of the 802 errors referencing a specific recid were recorded.
I've no clue where the requests are coming from and my immediate concern is that of the site being the subject of a DoS attack. Is there a log file that I can look that will give me some clue as to where this traffic is originating from?
Have a look at the Apache logs on OS X - you can find them here:
View by date modified and open the most recent access_log.XXXXXXXXX - I open mine in the Console.app so they keep scrolling etc. You will be able to see the originating IP address for each request.