Cybersecurity Triage
Read-onlyFind Common Admin Probe Paths
You need to find repeated requests for common administrative or login-looking paths in a web log.
Command
awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | headBefore you run this
System impact: Read-only. Low when scoped to the shown target.
When not to use it: Do not assume a keyword match means compromise; this only shows requested paths.
Expected output
Counts with source IP, requested path, and HTTP status.
System impact
Read-only. Nothing changes. The command filters log lines by path keywords and counts repeated combinations.
Recovery / rollback: no state is changed.
When to use it
Use this to spot broad internet background noise and decide whether a path is being repeatedly requested.
When not to use it
Do not assume a keyword match means compromise; this only shows requested paths.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ awk '{print $7}' ./sample-files/nginx/access.log | sort | uniq -c | sort -nr | head
5 /health
3 /search?q=nginx&page=1
3 /missing
3 /api/report
2 /download/site-backup.tar
2 /api/profile
1 /wp-login.php
1 /wp-admin
1 /login
1 /docs$ awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./sample-files/nginx/access.log | sort | uniq -c | sort -nr | head
1 203.0.113.45 /login 403
1 203.0.113.45 /admin 403
1 203.0.113.44 /wp-login.php 404
1 203.0.113.44 /wp-admin 404$ awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print}' ./sample-files/nginx/access.log
203.0.113.44 - - [25/Jun/2026:10:01:07 +0000] "GET /wp-login.php HTTP/1.1" 404 140 "-" "ScannerBot/1.0"
203.0.113.44 - - [25/Jun/2026:10:01:09 +0000] "GET /wp-admin HTTP/1.1" 404 140 "-" "ScannerBot/1.0"
203.0.113.45 - - [25/Jun/2026:10:01:12 +0000] "GET /admin HTTP/1.1" 403 180 "-" "SyntheticAudit/0.1"
203.0.113.45 - - [25/Jun/2026:10:01:14 +0000] "GET /login HTTP/1.1" 403 180 "-" "SyntheticAudit/0.1"View commands shown
These are the commands shown in the sanitized transcript.
Commands shown
awk '{print $7}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | headawk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | headawk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print}' ./fixtures/nginx/access.log
next steps
Related commands
Spot Unusual HTTP Methods in Access Logs
Most site traffic is boring. The weird methods are worth a look.
awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
Count the Most Common User Agents
A strange traffic spike often has a strange user agent.
awk -F'"' '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
Find Clients Repeating the Same Path
The suspicious pattern is sometimes one client hammering one URL.
awk '{key=$1 " " $7; count[key]++} END {for (k in count) if (count[k] >= 5) print count[k], k}' ./fixtures/nginx/access.log | sort -nr | head
Find Paths Repeatedly Returning 404
One missing URL is normal. A repeated missing URL is a signal.
awk '$9==404 {count[$7]++} END {for (path in count) if (count[path] >= 3) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Find the IPs Creating the Most 4xx Noise
One address can turn a normal access log into a wall of failed requests.
awk '$9 ~ /^4/ {count[$1]++} END {for (ip in count) print count[ip], ip}' ./fixtures/nginx/access.log | sort -nr | head
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.