Logs

How to Extract IP Addresses from nginx Logs

Turn noisy access logs into a clean list of client IPs for incident triage, rate-limit analysis, or firewall review.

Problem

Access logs contain methods, paths, status codes, user agents, and referrers around each IP. During an incident you need the IP list quickly, not the whole log.

Solution

Use text extraction and line tools to isolate IPs, dedupe repeated addresses, then inspect individual IPs or CIDR ranges.

Workflow

1Paste the relevant access log window
Use a time window around the event you are investigating. Include enough lines to capture repeated clients and error bursts.
2Extract IPv4 values
Use Regex Tester with an IPv4 pattern or an IP-focused tool if available in your workflow. Keep proxy headers in mind if nginx logs X-Forwarded-For.
3Dedupe and sort
Run Line Dedupe and Line Sort to get a stable list for review.
4Inspect ranges
Use IP Inspector and CIDR Calculator for suspicious addresses or allow/block-list planning.

Examples

Basic IPv4 extraction pattern

This pattern is useful for quick triage. It does not prove the value is a routable public address.

\b(?:\d{1,3}\.){3}\d{1,3}\b

Checklist

Check whether the first field is a proxy IP or the real client IP.
Review X-Forwarded-For if your log format includes it.
Dedupe after extraction, not before.
Validate suspicious addresses before creating firewall rules.

Tools Used

Regex TesterExtract IPv4-shaped values from logs.
IP InspectorInspect and classify IP addresses.
CIDR CalculatorCalculate network ranges for allow/block lists.

Frequently Asked Questions

Does the basic regex validate every IPv4 octet?

No. It finds IPv4-shaped values quickly. Use IP Inspector to validate and classify addresses after extraction.

What about IPv6?

IPv6 extraction needs a different pattern. For mixed logs, inspect your nginx log format and add an IPv6 pattern before deduping.