Cybersecurity Triage
Read-onlySpot Unusual HTTP Methods in Access Logs
You need to identify requests using HTTP methods outside the small set your site normally expects.
Command
awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nrBefore you run this
System impact: Read-only. Low when scoped to the shown target.
When not to use it: Do not label every uncommon method as hostile; APIs, monitors, and load balancers can produce legitimate exceptions.
Expected output
Counts with source IP, method, path, and response status for unusual methods.
System impact
Read-only. Nothing changes. The command filters and counts unusual request methods.
Recovery / rollback: no state is changed.
When to use it
Use this during defensive triage to find traffic that does not match expected browser or API behavior.
When not to use it
Do not label every uncommon method as hostile; APIs, monitors, and load balancers can produce legitimate exceptions.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ awk '{print $6}' ./sample-files/nginx/access.log | sort | uniq -c | sort -nr
22 "GET
1 "PUT
1 "POST
1 "DELETE$ awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./sample-files/nginx/access.log | sort | uniq -c | sort -nr
1 203.0.113.46 "PUT /api/profile 405
1 203.0.113.46 "DELETE /api/profile 405$ awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print}' ./sample-files/nginx/access.log
203.0.113.46 - - [25/Jun/2026:10:02:01 +0000] "PUT /api/profile HTTP/1.1" 405 90 "-" "curl/8"
203.0.113.46 - - [25/Jun/2026:10:02:03 +0000] "DELETE /api/profile HTTP/1.1" 405 90 "-" "curl/8"View commands shown
These are the commands shown in the sanitized transcript.
Commands shown
awk '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nrawk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nrawk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print}' ./fixtures/nginx/access.log
next steps
Related commands
Find Common Admin Probe Paths
A site does not need WordPress to receive WordPress-looking probes.
awk '$7 ~ /(admin|login|wp-|phpmyadmin)/ {print $1, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
Count the Most Common User Agents
A strange traffic spike often has a strange user agent.
awk -F'"' '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
Find the IPs Creating the Most 4xx Noise
One address can turn a normal access log into a wall of failed requests.
awk '$9 ~ /^4/ {count[$1]++} END {for (ip in count) print count[ip], ip}' ./fixtures/nginx/access.log | sort -nr | head
Find Clients Repeating the Same Path
The suspicious pattern is sometimes one client hammering one URL.
awk '{key=$1 " " $7; count[key]++} END {for (k in count) if (count[k] >= 5) print count[k], k}' ./fixtures/nginx/access.log | sort -nr | head
Find Paths Repeatedly Returning 404
One missing URL is normal. A repeated missing URL is a signal.
awk '$9==404 {count[$7]++} END {for (path in count) if (count[path] >= 3) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.