Grep Awk Sort Uniq Log Filtering Checklist

halfbrain_logo512adminJune 18, 2026
5 lượt xem

Grep Awk Sort Uniq Log Filtering Checklist

grep, awk, sort and uniq turn large logs into useful evidence. They help system admins find attack patterns, top IPs, status code spikes, repeated URLs, failed login attempts and noisy bots.

Core principle

Logs are raw data. Filtering and counting turn raw data into operational intelligence.

Checklist

  1. Identify the log file to inspect.
  2. Filter by keyword or endpoint.
  3. Extract IP addresses.
  4. Count top IPs.
  5. Count status codes.
  6. Find repeated URLs.
  7. Filter by time range if possible.
  8. Separate normal traffic from suspicious traffic.
  9. Save useful commands for reuse.
  10. Turn repeated findings into monitoring rules.

Reusable lesson

This applies to Nginx access logs, auth logs, WordPress attacks, API errors, webhook abuse, crawler detection and security monitoring.

Checklist Type Log Analysis
Level Intermediate
Risk Level Medium Risk
Estimated Time 30–60 minutes

When to Use This Checklist

Use this checklist when analyzing logs to find repeated errors, abusive traffic, attack patterns, bot spikes or high-volume endpoints.

Required Tools

SSH access, log files, grep, awk, sort, uniq, incident time, access log format

Before You Start

Do not block traffic based on one line. Look for repeated patterns and confirm whether the traffic is truly abusive.

Structured Checklist Steps

  1. Pick log file.
  2. Filter keyword.
  3. Extract IPs.
  4. Count top IPs.
  5. Count status codes.
  6. Find repeated URLs.
  7. Filter by time if possible.
  8. Classify traffic.
  9. Save command.
  10. Create monitoring rule.

Verification Steps

  1. Top IPs are known.
  2. Status code distribution is visible.
  3. Repeated URLs are identified.
  4. Suspicious pattern is evidence-based.
  5. Reusable command is saved.
See also  Linux Process Tree and Parent Child Relationship Checklist

Rollback Plan

If a blocking decision based on log analysis causes false positives, remove the block and refine the pattern with narrower evidence.

Common Mistakes

  • Blocking after one request.
  • Not counting frequency.
  • Ignoring status codes.
  • Not checking user agents or URLs.
  • No saved investigation commands.

Related Commands

sudo awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
sudo awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
sudo grep "wp-login.php" /var/log/nginx/access.log | tail -n 50
sudo awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: