« previous: Workaround for the "Could not find Library" Problem with the iPhone Remote App | next: How To Access A VNC Remote Desktop After The Server Reboots »

Count IP Addresses in Access Log File: BASH One-Liner

# Filed on Dec 17, 2008 by AnthonyDiSante 2 replies

Recently my server was nearly overloaded by a web spider that was severely stupid and/or malfunctioning.  It was making multiple requests every second for totally nonsensical URLs.

When I first noticed my server slowing down, I checked my Apache access.log file.  Since encodable.com normally gets about 1000 visitors per day anyway, a visual inspection of the logfile did not make it immediately obvious which IP address was making the most requests.  There are lots of hits from my own IP, for example, but not enough to slow the server down.

One quick way to see which IP addresses are most active is to sort by them:

cat access.log |cut -d ' ' -f 1 |sort

The cut command there simply throws away all the output except for the first field on each line, which is the IP address.  Then we sort them.  We can then scroll up through the terminal window and get a quick-and-dirty visual indication of which IP is most prevalent.

But in my case, I had quite a few IPs with several hundred hits, and that’s not enough to cause a problem.  I needed to see which ones were in the thousands, but scrolling up through the terminal output it’s not especially easy to see the difference between say 500 lines and 1000 lines.

I needed an actual count of the number of times each IP address appeared the access log.  I came up with the following BASH one-liner to do it (split onto multiple lines here only for readability):

FILE=/path/to/access.log;
 for ip in `cat $FILE |cut -d ' ' -f 1 |sort |uniq`;
 do { COUNT=`grep ^$ip $FILE |wc -l`;
 if [[ "$COUNT" -gt "500" ]]; then echo "$COUNT:   $ip";
 fi }; done

First it creates a for-loop based on the output of the uniq command, so each iteration of the loop is for a different unique IP from the log.  It then greps the log for that IP and uses "wc -l" to count the lines in the output.  Finally, if the count is greater than 500, it displays the count and the IP, like so:

6975:   124.115.3.33
5648:   124.115.5.169
1514:   66.219.73.236
1451:   74.204.11.20

As you can see, the stupid spider was coming from the 124.115.* IP range.

UPDATE: even easier: the uniq command has a -c argument that does most of this work automatically.  It counts the occurrences of each unique line.  Then a quick sort -n and a tail shows the big ones.  Also, I tend to use "cut" as above, but one of the Dreamhost guys reminded me that awk may be a little more straightforward:

cat /path/to/access.log |awk '{print $1}' |sort
 |uniq -c |sort -n |tail

Comments:

01. Apr 1, 2009 at 09:12am by Dodger:

perl -e ’$ip{(split)[0]}++ while <>; print map "$_ : $ip{$_}\n", sort {$ip{$b} <=> $ip{$a}} keys %ip’ /var/log/apache2/access_log

02. Apr 2, 2009 at 09:11am by AnthonyDiSante:

Close... swap the output columns and pipe to head and that would do it.  Of course, that’s much more unwieldy than the awk/sort/uniq method.

Reply to this message here:

Your name
Email (why?)
Website (if you have one)
Subject
search posts:

home | archives ]

Client Quotes

I just installed the demo of your product and got it up and running in no time.  I searched high and low for a decent login script and thank God I found yours.
– Adrian F.
I spent ages trying to find a way of making my own log in page for my website - if you're thinking of doing that forget it - don't waste your time!  UserBase is a 1st class product at a very reasonable price.  The software works faultlessly and can be adapted to any situation.  The service that I have received from Encodable is terrific!  I am very very impressed.  Nothing was too much trouble and I am most grateful to Anthony DiSante in particular for all his help and patience.
– Paul S.
Worked like a charm... man, this piece of software is a dream and I really appreciate all your customer service help getting this taken care of.
– Kyle M.
I just want to say you guys really stand alone in that you have a quality product and you provide genuine customer service.  It's sad but those qualities are seldom found separately, much less together.  Thanks again for your time and help.
– Alex S.
Also, I wanted to tell you that I was very skeptical about buying this script.  I've spent a lot of time and money over the past 3 months trying to find a solution that works, but I ended up having problems with so many of the scripts I tried that I was almost to the point of giving up.  But then I came across your script, and it actually does what it's supposed to.  An absolute wow.  A very impressive and powerful script indeed!  Many, many thanks!
– Mike E.
I can't thank you enough, I was up against a deadline that required me to get this up and running in 48 hours and you have probably the best customer service I've ever seen.
– Dan T.
Your scripts/software are the greatest, I mean I really love how customizable they are, how intuitive they are, and so on.  Thanks again, I love this stuff!
– Tucker O.
We searched for a long time for an application to password protect directories and allow file uploads.  Userbase & Filechucker are far superior to anything out there.  Simple yet powerful programming, extremely flexible in configuration, and great customer service.  Thanks for a superb product.
– Kat G.
Thank you VERY much for all of your help.  You've really impressed me.  We have support agreements for other software that costs thousands of dollars / year (just for the support), and most of them aren't as helpful as you have been.
– Keith Y.
There are a lot of these scripts out there, but I think they all pale in comparison to yours.
– Peter W.
The software has some great features, is well presented, runs where others are problematic and will make a good impression on our clients.  We look forward to reaping its benefits!
– Alex H.