Review recent website requests

In this article I’m going to teach you how you can use the server status feature of WHM (Web Host Manager) from the command line on your VPS (Virtual Private Server) or dedicated server in order to review recent website requests that Apache is handling.

If you’ve happened to have read my previous articles on either advanced server load monitoring, or how to setup a server load monitoring script to alert you via email when your server’s load is high. Then you might be curious about the current website requests that are happening on your server, as more than likely those requests could be leading to your server’s load average spiking.

I already covered in my article on how to determine cause of server usage spike tracking down Apache requests from a time period when your server’s load average was spiking in the past. Now I’ll be covering how you can view the most recent website requests, so that you can investigate a live load issue on your server.

In order to follow along with these steps you’d need to have either a VPS or dedicated server, that way you can access the server via SSH to run the commands we’ll go over.

View Apache requests with whm-server-status

Following the steps below you’ll be able to view the active website requests that Apache is handling on your server. This will allow you to hopefully pinpoint resource intensive portions of your site that could be leading to your server’s load average spiking.

  1. Login to your server via SSH.
  2. Run the following command to see what domain currently has the most requests going to it:
    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | awk '{print $12}' |
    sort | uniq -c | sort -n

    Code breakdown:

    lynx -dump –width=500 localhost/whm-server-statusRun the text based lynx web browser with the -dump flag and set the –width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep “GET|POST”Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    awk ‘{print $12}’Use the awk command to only print out the $12th column of data which is the domain name in the request.
    sort | uniq -c | sort -nSort the domain names, uniquely count them, and then sort them numerically from lowest to highest.

    You should get back something like this:
    12 test.example.com
    16 wordpress.example.com
    345 example.com

    In this case we can see that the example.com site is getting by far the most requests.

  3. You can now adjust the previous command to view the requests for the one example.com domain that was getting the highest amount of requests:
    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | grep example.com |
    awk '{print $14}' | sort | uniq -c | sort -n

    Code breakdown:

    lynx -dump –width=500 localhost/whm-server-statusRun the text based lynx web browser with the -dump flag and set the –width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep “GET|POST”Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    grep example.com | awk ‘{print $14}’Use the grep command to only show requests from the example.com domain. Then use the awk command to print out the $14th column which is the actual file being requested.
    sort | uniq -c | sort -nSort the requests, uniquely count them, and then sort them numerically from lowest to highest.

    You should get back something along theese lines:
    15 /index.php
    25 /blog/index.php
    305 /blog/wp-comments-post.php

    So here we can see that the URL /blog/wp-comments-post.php is getting slammed with traffic.

  4. Finally we can look for the IP addresses hitting the /blog/wp-comments-post.php script to see if the activity is malicious in nature:
    lynx -dump --width=500 localhost/whm-server-status | egrep "GET|POST" | grep example.com |
    grep wp-comments-post.php | awk '{print $11}' | sort -n | uniq -c | sort -n

    Code breakdown:

    lynx -dump –width=500 localhost/whm-server-statusRun the text based lynx web browser with the -dump flag and set the –width to 500 on the localhost/whm-server-status URL which gives back the Apache requests.
    egrep “GET|POST”Use the egrep command to only show either GET or POST requests, as otherwise you would also get back some NULL requests as well.
    grep example.com | grep wp-comments-post.phpUse the grep command to only show requests from the example.com domain. Then use the grep command again to only look for requests of the wp-comments-post.php script.
    awk ‘{print $11}’Use the awk command to only print out the $11th column of data which is the IP address of the requests.
    sort -n | uniq -c | sort -nFinally sort the IP addresses numerically, uniquely count them, then sort them again numerical from lowest to highest amount of reqeusts..

    You should get back something along these lines:
    1 123.123.123.124 304 123.123.123.123
    In this case we can tell that the IP address 123.123.123.123 was responsible for just about every single one of the 305 requests to wp-comments-post.php.

  5. If you wanted to block that IP address from being able to access your server any longer, you can do this by blocking them at your server’s firewall with the following command:
    apf -d 123.123.123.123 "Spamming example.com/blog/wp-comments-post.php"

You should now know how to investigate the current Apache requests that are happening on your server using the whm-server-status feature of WHM.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

Was this article helpful? Join the conversation!