Server logs are a goldmine of security intelligence — but only if you know how to read them. Every access to your web server, every failed login attempt, every file request gets recorded with an IP address, timestamp, and request details. Here’s how to extract meaningful security insight from raw IP data in your server logs.

Where to Find IP Addresses in Common Log Formats

Apache / Nginx Access Logs

The default Combined Log Format looks like this:

198.51.100.42 - - [03/Apr/2026:14:22:10 +0000] "GET /wp-admin/login.php HTTP/1.1" 404 512

The IP address is always the first field. The request path, HTTP method, response code, and bytes transferred follow. In this example, someone is probing for a WordPress admin login page on a site that may not even run WordPress — a common automated scan.

Authentication Logs (Linux)

On Linux systems, /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS) records SSH login attempts including the source IP:

Apr 3 14:22:10 server sshd[12345]: Failed password for root from 198.51.100.42 port 54321 ssh2

Repeated failures from the same IP are brute-force SSH attempts.

Key Patterns to Look For

High Request Volume from a Single IP

Legitimate users don’t make hundreds of requests per minute. Use this command to find the top IPs by request count in an Apache/Nginx log:

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20

IPs with abnormally high counts may be scrapers, vulnerability scanners, or the beginning of a DDoS.

Probing for Common Vulnerability Paths

Watch for requests to paths like /wp-admin/, /phpmyadmin/, /.env, /xmlrpc.php, and /admin/config.php. These are automated scanner fingerprints — the IP is running a tool that tests for known vulnerable endpoints regardless of whether your server actually runs those applications.

4xx Error Storms from a Single IP

A flood of 404 (not found) or 403 (forbidden) responses to sequential paths is a signature of directory enumeration — the IP is trying to discover hidden files, admin panels, or configuration files.

Successful Logins from Unusual Locations

If your CMS, server panel, or application logs successful authentications, verify that the source IPs match expected locations. A successful admin login from a country you’ve never operated in is a serious incident.

Investigating Suspicious IPs

Once you’ve identified a suspicious IP, investigate before blocking. The IP & Location Checker gives you a full intelligence report on any IP — network type, geolocation, and security risk indicators — so you can distinguish between a known malicious scanner, a misconfigured legitimate crawler, and a compromised residential device.

Also check AbuseIPDB.com to see if others have reported the same IP for similar activity. If it has hundreds of abuse reports, you’re dealing with a known threat actor and can block with confidence.

Automating Log Analysis

Manual log review doesn’t scale. Consider:

• Fail2Ban — Automatically bans IPs that exceed configurable thresholds for failed authentications or error rates. Free and widely deployed on Linux servers.
• GoAccess — A real-time log analyzer that parses access logs and produces visual dashboards showing top IPs, request paths, and response codes.
• A WAF (Web Application Firewall) — Services like Cloudflare’s free tier or AWS WAF can automatically identify and block common attack patterns before requests reach your server logs at all.

Documenting and Reporting Abuse

If you’re seeing coordinated attack traffic, report it. Export log entries for the offending IP (including timestamps in UTC, your server’s IP, and the request details), then submit a report to AbuseIPDB and to the abuse contact in the IP’s WHOIS record. Systematic reporting improves threat intelligence for the entire community and sometimes results in ISPs taking action against compromised customer devices.

CISA’s logging guidance recommends that all organizations maintain comprehensive access logs as a foundational security practice — because logs are often the only record of how a breach occurred and what data was accessed.

Frequently Asked Questions

Where are server access logs stored and how do I access them?

On Apache servers, logs are typically at /var/log/apache2/access.log (Ubuntu/Debian) or /var/log/httpd/access_log (CentOS/RHEL). Nginx logs are usually at /var/log/nginx/access.log. For shared hosting, check your hosting control panel’s “Logs” or “Metrics” section. WordPress-specific activity can be monitored through plugins like Wordfence or WP Activity Log.

What does a normal IP traffic pattern look like versus a suspicious one?

Normal patterns show varied IPs, reasonable request rates, mostly 200/301 status codes, and requests for valid paths. Suspicious patterns include: a single IP making hundreds of requests per minute, repeated 404 errors suggesting path scanning, sequences of requests testing common admin URL paths (/wp-admin, /phpmyadmin), or login attempts from IPs in unexpected countries.

How many requests from one IP address in a short period is considered suspicious?

There’s no universal threshold, but as a rule of thumb: more than 100 requests per minute from a single IP with no session context (i.e., not a logged-in user) warrants investigation. For login page requests, anything more than 5–10 attempts per minute suggests a brute-force attempt and should trigger rate limiting or blocking.

What should I do if I find a malicious IP in my server logs?

First, block the IP in your firewall or security plugin. Second, check what the IP accessed — look for successful requests (200 status) to sensitive paths. Third, report the IP to AbuseIPDB to help protect other server operators. Fourth, if there’s evidence of successful intrusion, escalate to a full security audit rather than just blocking the IP.

What free tools can help automate server log IP analysis?

GoAccess is a fast, real-time web log analyzer that runs in your terminal. Fail2ban automatically bans IPs that show malicious patterns in logs. AWStats and Webalizer produce visual reports from Apache/Nginx logs. For WordPress specifically, Wordfence includes a live traffic view that flags suspicious IPs in real time.