How to get most frequent ip address in your logs.

When you are running a web server it is really important to keep the track of ip from which you are getting most number of hits. We will see How to get most frequent ip address in your logs

How to get most frequent ip address in your logs
How to get most frequent ip address in your logs

How to get most frequent ip address in your logs 

Such tracking is important when there is a DOS attack and you need to block the ip from where the attack is happening. In such cases having a script which will give the top ip which are hitting your server.

Have a look at the below command.

cat /var/log/nginx/access.log | grep https://* | awk '{print $1}' |  sort -n | uniq -c | sort -rn | head -n 15

What this command will do:

This will print the list of ip which are most frequently hitting your server in sorted order. Lets break down the command and see what is happening here.

cat /var/log/nginx/access.log

This command will get the log for you to access and then we piped the output as input to the next command. Next command  is

grep https://*

This will get all the lines with https:// substring present. If you want to search for particular url just replace the url in place of https://. Now we pass this to next command which is

awk '{print $1}'

This will take print the ip from the filtered results because ip is present in second place in logs.

Next we pass it to

sort -n

This will sort the lines and get all the ip which are same.

Next we pass it to

uniq -c

This will get the uniques from the file and count the frequencies. After this we sort it again in reverse order by passing it to

sort -nr

After this we have to get the top 15 lets say for this we will use head command as below

head -n 15

Thus we will get the list of ip which are most frequently hitting your server. The output will be something like below

   1410 1.22.23.78

    732 14.139.240.251

    596 54.169.105.185

    455 1.22.0.156

    281 66.249.77.6

    169 81.110.234.223

    169 1.22.23.172

    157 54.213.252.71

    143 212.181.184.85

    130 66.249.79.191

    129 24.85.245.131

    115 122.164.21.55

    104 223.186.5.92

    102 124.6.136.138

     96 94.11.76.42

First param is count and second is the ip from which we are getting the hits.

Liked the article please share and subscribe.

Gaurav Yadav

Gaurav is cloud infrastructure engineer and a full stack web developer and blogger. Sportsperson by heart and loves football. Scale is something he loves to work for and always keen to learn new tech. Experienced with CI/CD, distributed cloud infrastructure, build systems and lot of SRE Stuff.

3 COMMENTS
  • Sanket raj
    Reply

    The extraction of information provides insights on analyzing the understanding about the aspects of different elements and help in further predictions.

  • anant kumar
    Reply

    Thanks Gaurav. Its a nice one. But there seems to be a typo. In awk print statement, it will print 1st field but its mentioned as 2nd. Please note, actual log file content is not visible to the reader.

    1. Gaurav Yadav
      Reply

      Thanks anant. Noted I will fix this. Really appreciate your comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.