Server Log Analysis
Essential commands for analyzing web server logs (Apache/Nginx). Useful for troubleshooting traffic spikes, identifying attacks, or monitoring real-time connections.
/path/to/access.log with your actual log file path and update the date/time placeholders (e.g., 21/Mar/2025) to match your target timeframe.Traffic Distribution by Hour
Analyzes the access log to show request counts for each hour in a specific day. Replace '21/Mar' with your desired date (dd/Mon).
grep "21/Mar" /path/to/access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -cTraffic Spikes by Minute
Drills down into a specific hour to show request counts per minute. Filters for minutes with >10 requests. Replace '21/Mar/2025:14' with your target date and hour (dd/Mon/YYYY:HH).
grep "21/Mar/2025:14" /path/to/access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c | awk '{ if ($1 > 10) print $0}'Top 20 Active IP Addresses
Identifies the most active IP addresses accessing your server. Essential for detecting potential DoS attacks or aggressive crawlers.
cat /path/to/access.log | awk '{ print $1}' | sort | uniq -c | sort -nr | head -n 20Top 20 Most Accessed Paths
Lists the most frequently requested URLs or paths. Helps identify popular content or potential brute-force targets (e.g., login pages).
awk -F\" '{print $2}' /path/to/access.log | awk '{print $2}' | sort | uniq -c | sort -r | head -n 20Real-time Active SSL Connections
Monitors the number of established TCP connections to port 443 (HTTPS) in real-time, updating every 0.1 seconds.
watch -n 0.1 "netstat -anp | grep :443 | grep ESTABLISHED | wc -l"
HTTP Status Counter (404/500/502)
Counts 404, 500, or 502 errors per hour. Useful for correlating error spikes with specific times. Update the status codes in the grep pattern as needed.
awk '($9 ~ /404|500|502/) {print $4}' /path/to/access.log | awk -F: '{print $2":00"}' | sort | uniq -c