How to get most frequent ip address in your logs.

How to get most frequent ip address in your logs.
5 (100%) 5 votes

When you are running a web server it is really important to keep the track of ip from which you are getting most number of hits. We will see How to get most frequent ip address in your logs

How to get most frequent ip address in your logs
How to get most frequent ip address in your logs

How to get most frequent ip address in your logs 

Such tracking is important when there is a DOS attack and you need to block the ip from where the attack is happening. In such cases having a script which will give the top ip which are hitting your server.

Have a look at the below command.

cat /var/log/nginx/access.log | grep https://* | awk '{print $1}' |  sort -n | uniq -c | sort -rn | head -n 15

What this command will do:

This will print the list of ip which are most frequently hitting your server in sorted order. Lets break down the command and see what is happening here.

cat /var/log/nginx/access.log

This command will get the log for you to access and then we piped the output as input to the next command. Next command  is

grep https://*

This will get all the lines with https:// substring present. If you want to search for particular url just replace the url in place of https://. Now we pass this to next command which is

awk '{print $1}'

This will take print the ip from the filtered results because ip is present in second place in logs.

Next we pass it to

sort -n

This will sort the lines and get all the ip which are same.

Next we pass it to

uniq -c

This will get the uniques from the file and count the frequencies. After this we sort it again in reverse order by passing it to

sort -nr

After this we have to get the top 15 lets say for this we will use head command as below

head -n 15

Thus we will get the list of ip which are most frequently hitting your server. The output will be something like below

   1410 1.22.23.78

    732 14.139.240.251

    596 54.169.105.185

    455 1.22.0.156

    281 66.249.77.6

    169 81.110.234.223

    169 1.22.23.172

    157 54.213.252.71

    143 212.181.184.85

    130 66.249.79.191

    129 24.85.245.131

    115 122.164.21.55

    104 223.186.5.92

    102 124.6.136.138

     96 94.11.76.42

First param is count and second is the ip from which we are getting the hits.

Liked the article please share and subscribe.


Gaurav Yadav

Gaurav is a Full Stack Web Developer and Blogger. Sportsperson by heart and loves football. He has experience with various frameworks in php, python and javascript. Loves to explore new frameworks and evolve with the trending technology.

Leave a Reply

Your email address will not be published. Required fields are marked *