Get top IP addresses from access log

Using basic Linux commands, we can get top IP addresses that keeps hitting our web servers, whether they are valid visitors or attackers. The command is a combination of awk, sort and uniq.

Given that the first column of the access log is the IP address we do the following:

cd /var/log/nginx
cat *access_log | awk '{print $1}' | sort | uniq -c | sort | tail -n 100

This assumes that you have multiple sites on using nginx and the access log file naming convention always ends with access_log. This also assumes that the first column of the access log is the IP address.

Sample access log (nginx):

69.64.xx.xx - - [30/Apr/2013:05:30:56 -0400] "GET / HTTP/1.1" 200 63574 "-" "Pingdom.com_bot_version_1.4_("
222.127.xx.xx - - [30/Apr/2013:05:31:53 -0400] "GET / HTTP/1.1" 200 11934 "-" "Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0"

What it does basically is to get only the first column (which is the IP address), then sort it so that similar IPs are side by side (making uniq command actually work) then issue uniq command with totals.

Since the result is not sorted by total counts, we need to sort it again then lastly only take the last 100 IPs (given that default sort is ascending).

Thanks it!

Enjoy and share.

2 thoughts on “Get top IP addresses from access log”

Leave a reply

Your email address will not be published. Required fields are marked *