Bash › Log Analysis
Finding attacks in server logs
Every request a server handles leaves a log line, which makes logs the record of what happened — including attacks. The text-processing tools you already know turn millions of log lines into the few that matter. This lesson is log analysis for spotting attacks, the defensive flip side of the recon you’ve been learning.
You'll learn to
- Read the common log formats
- Rank and filter log data to find attacks
- Spot the signatures of common attack types
The shape of a web log
A typical access log line (Apache/Nginx combined format):
192.0.2.5 - - [10/Jan/2025:13:55:36 +0000] "GET /admin HTTP/1.1" 403 0 "-" "curl/7.x"
Fields (space-separated, useful by position with awk):
$1 = client IP $6 = method+path $9 = status code
Web logs are column-based text — exactly what awk handles. Knowing the field positions (IP is field 1, status is field 9) lets you slice the data precisely.
The core ranking pipeline
# Top IPs by request count (find the noisy ones):
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head
# All the 401/403 responses (auth failures, probing):
awk '$9 ~ /40[13]/ {print $1, $7}' access.log | sort | uniq -c | sort -rn
# Requests from one suspicious IP:
grep "192.0.2.5" access.log | awk '{print $6, $7, $9}'
The pattern sort | uniq -c | sort -rn counts and ranks — the single most useful log move. It turns raw lines into ‘the top 10 IPs’, ‘the most-hit endpoints’, ‘the most common error’. Ranking is how you find the anomaly in the noise.
Attack signatures
# Brute force: many auth failures from one IP:
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Path traversal / LFI attempts:
grep -E "\.\./|etc/passwd|%2e%2e" access.log
# SQLi / XSS probes in URLs:
grep -Ei "union.*select|<script|onerror=|' or '1'='1" access.log
# Scanning: one IP hitting many distinct paths fast:
awk '{print $1, $7}' access.log | sort -u | awk '{print $1}' | sort | uniq -c | sort -rn
Checkpoint
What does the pipeline awk '{print $1}' access.log | sort | uniq -c | sort -rn | head reveal, and why is it useful for finding attacks?
It prints each request's client IP, sorts them so duplicates are adjacent, counts occurrences of each IP with uniq -c, then sorts numerically in reverse to rank the busiest IPs at the top. It's useful because an attacker brute-forcing or scanning generates far more requests than a normal user, so they rise to the top of this ranking — making the anomaly visible in one command across millions of lines.
Try it yourself
Take any web access log (or a sample). Rank the top IPs by request count with the sort | uniq -c | sort -rn pipeline. Then grep for a traversal signature like ../ and for a SQLi signature like union select. Note how ranking surfaces the noisy clients and signature-grep surfaces specific attack attempts.
Key takeaways
- Web logs are column text; awk slices by field (IP=1, status=9).
- sort | uniq -c | sort -rn ranks anything — the core log move.
- Signature greps find traversal, SQLi, XSS, and brute-force attempts.
- Baseline normal traffic first, then the attack is what doesn’t fit.
Quick quiz
Next, automating full Linux security assessments — user, permission, and SUID enumeration in one script.