Essential Linux Commands for Analyzing Web Server Logs
This guide compiles a series of practical Linux one‑liners—using awk, grep, sort, netstat, and related tools—to count unique IPs, rank page requests, filter bots, monitor connection states, and measure bandwidth, enabling quick forensic analysis of Apache or Nginx access logs.
Count unique visitor IPs
Extract the first field (IP) from the log, sort, deduplicate and count the lines:
awk '{print $1}' log_file | sort | uniq | wc -lCount accesses to a specific page
Search for the page path and count matching lines:
grep "/index.php" log_file | wc -lHow many pages each IP visited
Aggregate by IP and output the number of requests per IP:
awk '{++S[$1]} END {for (a in S) print a, S[a]}' log_file > log.txt
sort -n -t ' ' -k2 log.txtSort IPs by request count (ascending)
awk '{++S[$1]} END {for (a in S) print S[a], a}' log_file | sort -nList pages requested by a particular IP
grep ^111.111.111.111 log_file | awk '{print $1, $7}'Exclude search‑engine crawlers
Keep only entries whose user‑agent starts with "Mozilla" and count unique URLs:
awk '{print $12,$1}' log_file | grep ^"Mozilla" | awk '{print $2}' | sort | uniq -c | wc -lCount IPs during a specific hour
awk '{print $4,$1}' log_file | grep 16/Aug/2015:14 | awk '{print $2}' | sort | uniq | wc -lTop 10 IPs by request volume
awk '{print $1}' log_file | sort | uniq -c | sort -nr | head -10Find the 10 most requested URLs
cat log_file | awk '{print $11}' | sort | uniq -c | sort -nr | head -10Identify the largest transferred files (by size field $10)
cat www.access.log | awk '($7 ~ /.php/){print $10, $1, $4, $7}' | sort -nr | head -100Pages whose transfer time exceeds 60 seconds
cat www.access.log | awk '($NF > 60 && $7 ~ /.php/){print $7}' | sort -n | uniq -c | sort -nr | head -100Bandwidth usage (GB)
cat access.log | awk '{sum+=$10} END {print sum/1024/1024/1024}'Count HTTP status codes
cat access.log | awk '{counts[$9]++} END {for (code in counts) print code, counts[code]}'Current TCP connection states
Show the number of sockets in each state:
netstat -n | awk '/^tcp/ {++S[$NF]} END {for (a in S) print a, S[a]}'Top IPs with ESTABLISHED connections on port 80
netstat -an | grep ESTABLISHED | wc -lFind IPs with many TIME_WAIT sockets
netstat -n | grep TIME_WAIT | awk '{print $5}' | sort | uniq -c | sort -rn | head -20Detect potential attackers (most frequent source IPs on port 80)
netstat -anlp | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -20These snippets can be combined, filtered, or extended to suit specific forensic or performance‑monitoring needs on any Linux‑based web server.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.