How do you check the log?

Other day I logged in to my Linode dashboard to see some spikes.

~~![](<URL url=)https://dl.dropboxusercontent.com/u/71705548/log.PNG" />

And I have no clue what's going on (or what happened 10 hours back?).

All you sys-admins & experts, How your curious mind gets the answers?

* How do you check the log? ..not real time monitoring but checking the past events.

What stats/log app do you use on your bare-bone linode? (AWStats/ webalizer etc?)

How to find currently online visitors, the real time? (is there way in PHPMYADMIN-> Status-> server?)

What's the best practices? to be informed.</list> 

I'm sorry but whatever I learned is via crude way (not from experts/books etc.)

Thank you, Linode community is awesome!~~

4 Replies

any guidance, people?

Thank you.

If you're hosting a website, you can check your web server software's access log and error log to see where all the traffic came from and which page(s) they visited. Each entry has a timestamp at the beginning, so it shouldn't be difficult to find entries from a specific time period. It's most likely a search engine that just began to index your website, or a link or hotlink from a popular website like reddit and slashdot.

The location of the logs depends on your distribution and the type of your web server software. In Ubuntu and Debian, look inside /var/log/apache2 for Apache logs, or /var/log/nginx for nginx logs. If the log files are huge, you can use commands like "less" and "more" to scroll through them, "head" and "tail" to pull out a specific number of lines, or "grep" to find entries that match a pattern.

IMO AWStats and Webalizer are both outdated, although some people still use them. A lot of webmasters nowadays outsource visitor statistics to a third party such as Google Analytics. But if the traffic was caused by a search engine, it might not appear in Google Analytics.

My Apache server is configured to host multiple domains, aka Virtual Hosts. In that case, I found the access logs I was interested in, for example.com, at this path instead:

/var/www/html/example.com/logs/access.log

Complicated issue and not something that can be solved in a single forum post.

The spike in the dashboard metrics could be the result of many number of things (and combinations). For example, someone is brute-forcing a public service (ssh, http, pop3, imap, so on and so forth). Other times it could be a badly configured script on your part, that has finally given up the ghost. It could also be a spam attack, trying to force feed your smtp with spam or some kind of new virus attachment. The most obvious, is usually someone hitting a wordpress site, trying to register an account, login as admin, or trying to post spam comments. Take your pick…

You could look around the logs from every single daemon running on the server, to try and pin point the exact place in time that caused the spike, maybe you'll get lucky and its something obvious, like a wordpress attack. You should also consider reading about server security, hardening the server, like removing unused things (if you don't use imap, then there is no need for it to be online and accessible), installing various tools like fail2ban, mod_evasive, etc.

Regarding monitoring a server, that is another issue entirely. If you are serious about it, you'd have something like icinga2 or another similar monitoring system, which could alert you just about anything that happens on the server.

Good luck :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct