When running a web server that can be accessed from an open or public network such as Internet, then it is always a good System Administration practice to monitor access to your server.
One good thing in monitoring access to your web server is the existence of access log file(s) that store information about every access activities that happen in the server.
Working with log files is always very important, because they give you an account of everything that has happened within a system or application in this case your Apache web server. In case of any performance or access related problems, then log files can help you point out what could be wrong or is happening.
Read more about log management in Linux: 4 Best Log Management Tools for Linux
In this article, we shall look at how to find the top 10 IP addresses that have been accessing your Apache web server.
The default path for Apache web server log is:
/var/log/http/access_log [For RedHat based systems] /var/log/apache2/access.log [For Debian based systems] /var/log/http-access.log [For FreeBSD]
To find out top 10 IP address accessing your Apache web server for domain, just run the following command.
# awk '{ print $1}' access.log.2016-05-08 | sort | uniq -c | sort -nr | head -n 10
Sample Output
5482 103.28.37.178 5356 66.249.78.168 1977 66.249.93.145 1962 157.55.39.251 1924 66.249.93.142 1921 66.249.93.148 1890 64.233.173.178 1860 108.61.183.134 1841 64.233.173.182 1582 157.55.39.251
In the command above:
awk– prints the access.log.2016-05-08 file.sort– helps to sort lines in a access.log.2016-05-08 file, the-noption compares lines based on the numerical value of strings and-roption reverses the outcome of the comparisons.uniq– helps to report repeated lines and the-coption helps to prefix lines according to the number of occurrences.
Read more about how to use awk command in Linux.
Summary
There are many methods that can be used to achieve this, if you know any better way do share in the comments and also in case of any suggestions or questions, remember to leave a comment in the comments section below and we shall discuss it together. Hope you find this article helpful and remember to always stay connected to Tecmint.
Hi, Thanks for this wonderful article, helped a lot. But could you also help us if we need the IP address first and then the count. I tried to modify the code but unable to get the desired result. It would be great if you can help a bit.
Great article really useful.
Any more bits like this?
@BigJoe
Welcome, many thanks for the feedback.
Thank you. And if you want block:
unblock:
IP – remote addr
@Mike
Many thanks for the useful addition.
Nice one but it’s works on HP Unix>, please share if know anything about it.
@Pratham
Have you tried it out? It should work, first give it a try, and also let us know in case it doesn’t.
[lemp@lempstacker tmp]$ cat test.txt | awk ‘{arr[$1]+=1}END{flag=0;PROCINFO[“sorted_in”]=”@val_num_desc”;for (i in arr) if(flag<10) {print arr[i],i;flag++}}'
5 192.200.203.72
5 108.186.197.5
5 104.148.124.135
4 107.179.89.7
2 184.83.5.202
2 192.200.194.125
2 23.247.2.11
2 172.87.25.241
2 192.200.206.13
2 192.200.204.26
Good but lengthy method, though it gets the work done.
I love this Aaron, thanks for the information
Welcome, thank you for liking it.