Overview
When managing a cPanel server, it's crucial to know which of your hosted domains are receiving the most attention from potential attackers. ModSecurity, the web application firewall, logs every security event. By analyzing these logs, you can generate a summary that shows which domain names are triggering security rules most frequently.
This guide provides a powerful one-line command to parse your ModSecurity audit logs over the last seven days and generate a ranked list of the most targeted domains.
Prerequisites
-
Root SSH Access: You must have root-level access to your cPanel server via SSH.
-
ModSecurity Enabled: This guide assumes ModSecurity is installed and active, which is standard on cPanel servers with Imunify360.
Step 1: Locate Your ModSecurity Log File (If Necessary)
The command below assumes your ModSecurity audit log is located at /var/log/apache2/modsec_audit.log. This is a common path on servers using EasyApache 4. To confirm the correct path on your server, you can search the Apache configuration for the SecAuditLog directive:
grep -r "SecAuditLog" /etc/apache2/
The output will show you the exact path where your audit logs are stored. If your path is different, be sure to use it in the main command in the next step.
Step 2: Run the Command
This command aggregates and counts the number of ModSecurity events per domain over the last seven days. It is designed to handle the multi-line format of the logs and can read both current and compressed (rotated) log files.
Important: You must manually update the date pattern inside the awk command to reflect the last seven days from when you run it.
Copy and paste the entire command into your SSH terminal and press Enter.
zcat -f /var/log/apache2/modsec_audit.log* | awk '/((06|05|04|03|02|01)\/Jun\/2025|31\/May\/2025)/{f=1} f&&/Host:/{print $2;f=0} /Z--/{f=0}' | sort | uniq -c | sort -nr
Step 3: Analyze the Output
The command will produce a list of domains, sorted with the highest number of security events at the top. The number on the left represents the total event count for that domain in the last seven days.
Sample Output
99812 example.com
9786 www.example.org
8139 example.uk
7719 example.net
7646 subdomain.example.com
7058 subdomain.example.org
...
How the Command Works
This may look complex, but it's a pipeline of several simple, powerful tools working together. Here is a breakdown of each part:
Part 1: Reading the Logs
zcat -f /var/log/apache2/modsec_audit.log* | ...
-
zcat -f: Reads all files matching the pattern, including compressed.gzfiles, and outputs them as a single continuous stream. This is essential for searching through log archives.
Part 2: The awk Magic (Parsing and Filtering)
... | awk '/((DD|DD|...)\/Mon\/YYYY|...)/{f=1} f&&/Host:/{print $2;f=0} /Z--/{f=0}' | ...
-
This is the core of the solution.
awkprocesses the log stream event by event, even though events span multiple lines. -
The date pattern
'/((...))/'is where the filtering happens. You must edit this part. For example, to search for events from June 1st to June 6th, the pattern would be'/((06|05|04|03|02|01)\/Jun\/2025)/'. -
{f=1}: If a line matches the date pattern,awksets a flag (f=1). This means "we are now inside a relevant log event." -
f&&/Host:/ {print $2; f=0}: If the flag is set (f=1) and the current line containsHost:, it prints the second word on that line (the domain name) and resets the flag (f=0) so it doesn't find another domain in the same event. -
/Z--/ {f=0}: Whenawksees the end-of-event marker, it resets the flag as a failsafe.
Part 3: Counting and Sorting
... | sort | uniq -c | sort -nr
-
sort: Sorts the list of domain names thatawkproduced. -
uniq -c: Collapses the sorted list, counting the occurrences of each unique domain name. -
sort -nr: Sorts the final counted list numerically (-n) and in reverse (-r) order, putting the highest counts at the top.
