Goaccess, a CLI tool, allows you to browse Nginx logs for example to see all requests that failed.
Interestingly, the most frequent path there, right after the page root (/), is /.env
.
That's the file where in case of server misconfiguration, all passwords used by the app (DB, third-party services) would be available for reading.
Hacking bots are clearly very busy.