In this article I'm going to teach you how you can use the server status feature of WHM (Web Host Manager) from the command line on your VPS (Virtual Private Server) or dedicated server in order to review recent website requests that Apache is handling.

If you've happened to have read my previous articles on either advanced server load monitoring, or how to setup a server load monitoring script to alert you via email when your server's load is high. Then you might be curious about the current website requests that are happening on your server, as more than likely those requests could be leading to your server's load average spiking.

I already covered in my article on how to determine cause of server usage spike tracking down Apache requests from a time period when your server's load average was spiking in the past. Now I'll be covering how you can view the most recent website requests, so that you can investigate a live load issue on your server.

In order to follow along with these steps you'd need to have either a VPS or dedicated server, that way you can access the server via SSH to run the commands we'll go over.

View Apache requests with whm-server-status

Following the steps below you'll be able to view the active website requests that Apache is handling on your server. This will allow you to hopefully pinpoint resource intensive portions of your site that could be leading to your server's load average spiking.

  1. Login to your server via SSH.
  2. Run the following command to see what domain currently has the most requests going to it:

    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | awk '{print $12}' | sort | uniq -c | sort -n

    Code breakdown:

    lynx -dump --width=500 localhost/whm-server-status Run the text based lynx web browser with the -dump flag and set the --width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep "GET|POST" Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    awk '{print $12}' Use the awk command to only print out the $12th column of data which is the domain name in the request.
    sort | uniq -c | sort -n Sort the domain names, uniquely count them, and then sort them numerically from lowest to highest.

    You should get back something like this:

    12 test.example.com
    16 wordpress.example.com
    345 example.com

    In this case we can see that the example.com site is getting by far the most requests.

  3. You can now adjust the previous command to view the requests for the one example.com domain that was getting the highest amount of requests:

    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | grep example.com | awk '{print $14}' | sort | uniq -c | sort -n

    Code breakdown:

    lynx -dump --width=500 localhost/whm-server-status Run the text based lynx web browser with the -dump flag and set the --width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep "GET|POST" Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    grep example.com | awk '{print $14}' Use the grep command to only show requests from the example.com domain. Then use the awk command to print out the $14th column which is the actual file being requested.
    sort | uniq -c | sort -n Sort the requests, uniquely count them, and then sort them numerically from lowest to highest.

    You should get back something along theese lines:

    15 /index.php
    25 /blog/index.php
    305 /blog/wp-comments-post.php

    So here we can see that the URL /blog/wp-comments-post.php is getting slammed with traffic.

  4. Finally we can look for the IP addresses hitting the /blog/wp-comments-post.php script to see if the activity is malicious in nature:

    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | grep example.com | grep wp-comments-post.php | awk '{print $11}' | sort -n | uniq -c | sort -n

    Code breakdown:

    lynx -dump --width=500 localhost/whm-server-status Run the text based lynx web browser with the -dump flag and set the --width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep "GET|POST" Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    grep example.com | grep wp-comments-post.php Use the grep command to only show requests from the example.com domain. Then use the grep command again to only look for requests of the wp-comments-post.php script.
    awk '{print $11}' Use the awk command to only print out the $11th column of data which is the IP address of the requests.
    sort -n | uniq -c | sort -n Finally sort the IP addresses numerically, uniquely count them, then sort them again numerical from lowest to highest amount of reqeusts..

    You should get back something along theese lines:

    1 123.123.123.124 304 123.123.123.123

    In this case we can tell that the IP address 123.123.123.123 was responsible for just about every single one of the 305 requests to wp-comments-post.php.

  5. If you wanted to block that IP address from being able to access your server any longer, you can do this by blocking them at your server's firewall with the following command:

    apf -d 123.123.123.123 "Spamming example.com/blog/wp-comments-post.php"

You should now know how to investigate the current Apache requests that are happening on your server using the whm-server-status feature of WHM.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!