Back to Snippets
8 snippets

Server Log Analysis

Essential commands for analyzing web server logs (Apache/Nginx). Useful for troubleshooting traffic spikes, identifying attacks, or monitoring real-time connections.

Before you run these commands:Replace /path/to/access.log with your actual log file path and update the date/time placeholders (e.g., 21/Mar/2025) to match your target timeframe.

Traffic Distribution by Hour

Analyzes the access log to show request counts for each hour in a specific day. Replace '21/Mar' with your desired date (dd/Mon).

bash
grep "21/Mar" /path/to/access.log \
  | cut -d[ -f2 \
  | cut -d] -f1 \
  | awk -F: '{print $2":00"}' \
  | sort -n \
  | uniq -c

Traffic Spikes by Minute

Drills down into a specific hour to show request counts per minute. Filters for minutes with >10 requests. Replace the date/hour placeholder accordingly.

bash
grep "21/Mar/2025:14" /path/to/access.log \
  | cut -d[ -f2 \
  | cut -d] -f1 \
  | awk -F: '{print $2":"$3}' \
  | sort -nk1 -nk2 \
  | uniq -c \
  | awk '{ if ($1 > 10) print $0}'

Top 20 Active IP Addresses

Identifies the most active IP addresses accessing your server. Essential for detecting potential DoS attacks or aggressive crawlers.

bash
cat /path/to/access.log \
  | awk '{print $1}' \
  | sort \
  | uniq -c \
  | sort -nr \
  | head -n 20

Top 20 Most Accessed Paths

Lists the most frequently requested URLs or paths. Helps identify popular content or potential brute-force targets (e.g., login pages).

bash
awk -F\" '{print $2}' /path/to/access.log \
  | awk '{print $2}' \
  | sort \
  | uniq -c \
  | sort -r \
  | head -n 20

Real-time Active SSL Connections

Monitors the number of established TCP connections to port 443 (HTTPS) in real-time, updating every 0.1 seconds.

bash
watch -n 0.1 "netstat -anp | grep :443 | grep ESTABLISHED | wc -l"

HTTP Status Counter (404/500/502)

Counts 404, 500, or 502 errors per hour. Useful for correlating error spikes with specific times. Update the status codes in the grep pattern as needed.

bash
awk '($9 ~ /404|500|502/) {print $4}' /path/to/access.log \
  | awk -F: '{print $2":00"}' \
  | sort \
  | uniq -c

Unique Visitor Count by Day

Counts unique IP addresses per day from the access log. Good for rough daily visitor analytics without needing an external tool.

bash
awk '{print $1, $4}' /path/to/access.log \
  | sed 's/\[//' \
  | awk '{print $1, $2}' \
  | sort -uk2 \
  | awk '{print $2}' \
  | cut -d: -f1 \
  | sort \
  | uniq -c

Bandwidth Usage per IP

Calculates total bytes sent to each IP address. Helps identify bandwidth hogs or potential scrapers. Column 10 is the response size in Apache/Nginx combined log format.

bash
awk '{ip[$1] += $10} END {for (i in ip) print ip[i], i}' /path/to/access.log \
  | sort -rn \
  | head -n 20 \
  | awk '{printf "%.2f MB\t%s\n", $1/1024/1024, $2}'