Home / Cheat Sheets / Apache Log Analysis Cheat Sheet

Web server logs Apache Log Analysis Cheat Sheet banner

Apache Log Analysis Cheat Sheet

Use grep, awk, tail, sort and uniq to investigate Apache access logs, cPanel domlogs, status codes, top IPs and common website issues.

cPanel Log Locations Grep Cheat Sheet AWK Cheat Sheet
Start here

Common Apache and cPanel log paths

LogPath
Main Apache error log/usr/local/apache/logs/error_log
Domain access log/usr/local/apache/domlogs/example.com
Domain SSL log/usr/local/apache/domlogs/example.com-ssl_log
User archived logs/home/user/logs/

Find status codes

500 errors

grep " 500 " access.log

404 errors

grep " 404 " access.log

403 errors

grep " 403 " access.log

Count status codes

awk '{print $9}' access.log | sort | uniq -c | sort -nr

Find top IP addresses

Top IPs

awk '{print $1}' access.log | sort | uniq -c | sort -nr | head

Requests from one IP

grep "^203.0.113.10 " access.log

Top IPs for 404s

grep " 404 " access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

Top login IPs

grep "wp-login.php" access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

Find top URLs and heavy traffic

Top URLs

awk '{print $7}' access.log | sort | uniq -c | sort -nr | head

Top 500 URLs

grep " 500 " access.log | awk '{print $7}' | sort | uniq -c | sort -nr | head

Large responses

awk '$10 > 1000000 {print $1, $7, $10}' access.log

Total bytes by IP

awk '{bytes[$1]+=$10} END {for (ip in bytes) print bytes[ip], ip}' access.log | sort -nr | head

Bot and crawler checks

Googlebot

grep -i "Googlebot" access.log | tail

curl requests

grep -i "curl" access.log | tail

Top user agents

awk -F\" '{print $6}' access.log | sort | uniq -c | sort -nr | head

WordPress-specific checks

wp-login hits

grep "wp-login.php" access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

xmlrpc hits

grep "xmlrpc.php" access.log | awk '{print $1}' | sort | uniq -c | sort -nr | head

admin-ajax traffic

grep "admin-ajax.php" access.log | awk '{print $1, $7, $9}' | head

Live checks

Watch SSL domlog

tail -f /usr/local/apache/domlogs/example.com-ssl_log

Watch for 500s live

tail -f access.log | grep " 500 "

Watch wp-login live

tail -f access.log | grep "wp-login.php"
Log workflows

Apache log analysis workflows

Top IPs

awk '{print $1}' access.log | sort | uniq -c | sort -nr | head

Top URLs

awk '{print $7}' access.log | sort | uniq -c | sort -nr | head

Status codes

awk '{print $9}' access.log | sort | uniq -c | sort -nr

User agents

awk -F\" '{print $6}' access.log | sort | uniq -c | sort -nr | head
FAQ

Frequently Asked Questions

What is an Apache access log?

It records requests made to the web server, commonly including IP, time, method, URL, status code and user agent.

How do I find top IPs in an access log?

Print the first field, then sort and count it with uniq -c.

How do I count HTTP status codes?

Print the status code field and count unique values.

Can Apache logs show bot traffic?

Yes. Request rate, URLs, IPs and user agents can all indicate bot activity.