5 Security Patterns You Should Be Scanning For in Your Apache/Nginx Logs

Every web server generates logs. Most teams ignore them until something breaks. But your access logs are a goldmine of security intelligence — if you know what to look for. After analyzing millions of log lines across production systems, here are 5 attack patterns that show up consistently. Each one is easy to detect, and catching them early can save you from a breach. 1. Path Traversal Attempts What it looks like: 192.168.1.105 - - [24/Mar/2026:03:14:22 +0000] "GET /images/../../etc/passwd HTTP/1.1" 400 0 10.0.0.33 - - [24/Mar/2026:03:14:45 +0000] "GET /static/%2e%2e/%2e%2e/etc/shadow HTTP/1.1" 403 0 203.0.113.50 - - [24/Mar/2026:03:15:01 +0000] "GET /download?file=../../../proc/self/environ HTTP/1.1" 200 1245 Why it matters: Attackers use ../ sequences (or URL-encoded variants like %2e%2e ) to escape the web root and read system files. The third example is the scariest — it returned a 200, meaning the server actually served the file. What to scan for: Requests containing .. or %2e%2e