You could take a look at AWStats.

I used it years ago when I was running my own web server, and it worked well for exactly this type of use case: generating basic reports directly from server access logs (most viewed pages, browsers, referrers, status codes, etc.) without relying on any client-side tracking.

It processes standard web server logs (Apache, Nginx and similar), so there is no JavaScript involved and nothing for visitors to block. That also means your numbers will generally align much more closely with what the server actually handled, compared to client-side tools like Matomo.

From a quick glance it looks like development activity may have slowed after 2023, but log formats have been relatively stable for a long time. If you run it as an offline analyzer (generate static reports from logs and do not expose the CGI interface publicly), the security surface is minimal.

Regarding bots: since it works purely on access logs, you will still need to filter at the log level. Typical approaches include:

• Enabling and maintaining bot filtering rules (AWStats has built-in bot detection lists).
• Pre-filtering logs (e.g., via fail2ban, reverse proxy rules, or a separate sanitized log file used only for stats).
• Excluding requests by user-agent and/or known ASN/IP ranges before generating reports.

It is not a perfect solution, but if your goal is simple, privacy-respecting, server-side statistics without client-side scripts, it is a relatively lightweight option worth considering.