Internal Checking log and activity
Checking access and logs
-
Live HTTPS access
tail -f /var/log/apache2/access.log -
Zabbix specifically (if configured separately)
tail -f /var/log/apache2/zabbix_access.log -
Check for recent access with IPs
awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -rn | head -20
Checking specific trafic from IP
-
What was 91.169.203.140 doing? (382k requests)
grep "91.169.203.140" /var/log/apache2/access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -10 -
Response codes - did they get in?
grep "91.169.203.140" /var/log/apache2/access.log | awk '{print $9}' | sort | uniq -c | sort -rn -
When did it happen - first / last?
grep "91.169.203.140" /var/log/apache2/access.log | head -3
grep "91.169.203.140" /var/log/apache2/access.log | tail -3 -
Create a quick report several IPs
Copy to clipboardfor ip in 75.119.139.70 84.247.172.208 185.205.244.44 146.235.220.43 194.163.132.135 185.182.184.152 207.180.245.57 144.91.110.72 94.72.105.69; do echo "=== $ip ===" echo "First: $(grep "$ip" /var/log/apache2/access.log | head -1 | awk '{print $4}')" echo "Last: $(grep "$ip" /var/log/apache2/access.log | tail -1 | awk '{print $4}')" echo "" done
SSH trafic check
-
Recent SSH authentication attempts
journalctl -u ssh --since "24 hours ago" -
Failed login attempts specifically
journalctl -u ssh | grep -i "failed|invalid" -
All authentication events (logins, sudo, etc.)
journalctl _COMM=sshd