Linux / Unix logtop: Realtime Log Line Rate Analyser

How can I analyze line rate taking log file as input on a Linux system? How do I find the IP flooding my Apache/Nginx/Lighttpd web-server on a Debian or Ubuntu Linux?

Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements None
Est. reading time N/A
[/donotprint]You need to use a tool called logtop. It is a system administrator tool to analyze line rate taking log file as input. It reads on stdin and print a constantly updated result displaying, in columns in the following format:

Line number, count, frequency, and the actual line

How do install logtop on a Debian or Ubuntu based system?

Simply type the following apt-get command:
$ sudo apt-get install logtop
Sample outputs:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 15.7 kB of archives.
After this operation, 81.9 kB of additional disk space will be used.
Get:1 precise/universe logtop amd64 0.3-1 [15.7 kB]
Fetched 15.7 kB in 0s (0 B/s)
Selecting previously unselected package logtop.
(Reading database ... 114954 files and directories currently installed.)
Unpacking logtop (from .../logtop_0.3-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up logtop (0.3-1) ...


The syntax is as follows:

logtop [OPTIONS] [FILE]
command | logtop
command1 | filter | logtop
command1 | filter | logtop [options] [file]


Here are some common examples of logtop.

Show the IP address flooding your LAMP server

Type the following command:

tail -f www.cyberciti.biz_access.log | cut -d' ' -f1 | logtop

Sample outputs:

Fig.01: logtop command in action

Fig.01: logtop command in action

See squid cache HIT and MISS log

tail -f cache.log | grep -o "HIT\|MISS" | logtop

To see realtime hit / miss ratio on some caching software log file, enter:
tail -f access.log | cut -d' ' -f1 | logtop -s 20000
The -s option set logtop to work with the maximum of K lines instead of 10000.

See also

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Charles Jul 22, 2014 @ 17:24

    This looks really cool, possibly invaluable during a DoS attack.

    Any chance there’s instructions on how to install on FreeBSD? logtop is not in the ports collection :(

  • John Jul 22, 2014 @ 18:38

    Agreed. Good tool to find out during a DoS attack. Download it from git repo and may be compile from source? ?

  • Rabin Jul 23, 2014 @ 7:48

    how is this diffrent then just using `sort | uniq -c`

    • Yordan Georgiev Jul 27, 2014 @ 6:16

      *** how is this different than just using `sort | uniq -c`
      sudo cat /var/log/httpd/access_log | cut -d’ ‘ -f1 | logtop
      2453 lines, 2453.00 lines/s
      1 1213 1213.00
      2 201 201.00
      3 157 157.00 ::1
      4 105 105.00
      5 83 83.00
      6 77 77.00
      7 40 40.00
      8 37 37.00
      9 37 37.00
      10 27 27.00

  • Marco Jul 23, 2014 @ 8:18

    Here is my guide to install it on CentOS 7 (should also apply to RHEL 7)

  • mauron85 Aug 11, 2014 @ 20:58

    I believe that difference is that it works incrementaly. With uniq sort combo you have to proces whole log again. With this only inctlrements thanks to tail.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum