With Optional Filters for Time & URI
This guide shows how to analyze compressed domain log files on a cPanel server to find which IPs are accessing a domain the most. It also includes ways to filter results by date/time or requested URL path.
๐งฐ Prerequisites
- SSH access to the server
- Log files stored under
/home/username/logs/ - Replace:
usernameโ with actual cPanel userexample.comโ with actual domain
๐ Basic IP Count (Top 20)
zcat /home/username/logs/example.com-ssl_log-Jun-2025.gz | awk '{print $1}' | sort | uniq -c | sort -nr | head -20โฐ Filter by Time or Date
To view top IPs within a certain time range, filter log lines that contain a specific time string, e.g. 12/Jul/2025:14 (which means July 12th at 2 PM):
zcat /home/username/logs/example.com-ssl_log-Jul-2025.gz | grep '12/Jul/2025:14' | awk '{print $1}' | sort | uniq -c | sort -nr | head -20You can use a broader date match like just 12/Jul/2025 to get all requests from that day.
๐ Filter by Requested URL
To find the top IPs that accessed a specific path (e.g., /wp-login.php):
zcat /home/username/logs/example.com-ssl_log-Jul-2025.gz | grep 'GET /wp-login.php' | awk '{print $1}' | sort | uniq -c | sort -nr | head -20Or for POST requests to the same path:
zcat /home/username/logs/example.com-ssl_log-Jul-2025.gz | grep 'POST /wp-login.php' | awk '{print $1}' | sort | uniq -c | sort -nr | head -20๐ง Advanced: Combine Time + URL Filter
To find IPs that accessed /wp-login.php on July 12, 2025, at 2 PM:
zcat /home/username/logs/example.com-ssl_log-Jul-2025.gz | grep '12/Jul/2025:14' | grep '/wp-login.php' | awk '{print $1}' | sort | uniq -c | sort -nr | head -20๐ Tips
- To inspect full lines after identifying a suspicious IP:
zcat /home/username/logs/example.com-ssl_log-Jul-2025.gz | grep '198.51.100.22' - Use
lessorgrep -ifor easier viewing or case-insensitive search.