Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

66.249.72.5 US, United States 08/May/2025:08:37:25 /travel/uk/lee-ho-fook/?s=mb
57.141.4.4 BE, Belgium 08/May/2025:08:37:07 /travel/chile/food/
5.102.173.71 GB, United Kingdom 08/May/2025:08:36:45 /robots.txt
57.141.4.16 BE, Belgium 08/May/2025:08:36:40 /cybersecurity/history/uss-chaumont/photos-navsourceorg.html
52.22.66.203 US, United States 08/May/2025:08:36:37 /travel/usa/new-york-andy-warhol/Index.html
172.213.21.149 GB, United Kingdom 08/May/2025:08:36:24 /
172.213.21.152 GB, United Kingdom 08/May/2025:08:36:24 /russian/grammar.html
82.180.130.138 DK, Denmark 08/May/2025:08:36:07 /travel/japan/ise/inner-shrine.html?s=mb
85.208.98.23 Unknown 08/May/2025:08:35:50 /robots.txt
52.167.144.195 US, United States 08/May/2025:08:34:59 /travel/japan/kofun/empress-jingu.html
57.141.4.3 BE, Belgium 08/May/2025:08:34:55 /travel/jordan/
52.156.77.150 US, United States 08/May/2025:08:34:35 /
52.156.77.150 US, United States 08/May/2025:08:34:35 /open-source/pdf-not-authorized.html
50.3.222.57 DE, Germany 08/May/2025:08:34:15 /cybersecurity/privacy-policy.html
50.3.222.57 DE, Germany 08/May/2025:08:34:14 /turkish/turkish-suffixes.html
57.141.4.25 BE, Belgium 08/May/2025:08:33:57 /travel/france/canal-du-midi/la-redorte-to-trebes.html
57.141.4.6 BE, Belgium 08/May/2025:08:33:53 /travel/greece/crete/western-crete/rethymno.html
77.232.36.34 RU, Russian Federation 08/May/2025:08:33:31 /open-source//
172.69.22.56 US, United States 08/May/2025:08:33:26 /travel/uk/lee-ho-fook/
149.102.230.118 US, United States 08/May/2025:08:32:34 /
149.102.230.119 US, United States 08/May/2025:08:32:33 /
149.102.230.119 US, United States 08/May/2025:08:32:33 /
149.102.230.118 US, United States 08/May/2025:08:32:32 /
149.102.230.118 US, United States 08/May/2025:08:32:31 /
149.102.230.118 US, United States 08/May/2025:08:32:30 /
149.102.230.119 US, United States 08/May/2025:08:32:30 /
135.237.131.217 US, United States 08/May/2025:08:32:22 /robots.txt
51.222.253.4 FR, France 08/May/2025:08:32:17 /cybersecurity/cyberwar/
52.22.66.203 US, United States 08/May/2025:08:31:48 /travel/france/marseille/Index.html
54.81.142.76 US, United States 08/May/2025:08:31:41 /ads.txt
50.26.229.100 US, United States 08/May/2025:08:31:22 /open-source/performance-tuning/tcp.html
67.80.204.45 US, United States 08/May/2025:08:31:22 /open-source/performance-tuning/tcp.html
108.65.145.205 US, United States 08/May/2025:08:31:22 /open-source/performance-tuning/tcp.html
209.99.177.212 US, United States 08/May/2025:08:31:21 /open-source/performance-tuning/tcp.html
94.156.133.96 BG, Bulgaria 08/May/2025:08:31:21 /open-source/performance-tuning/tcp.html
85.254.115.2 LV, Latvia 08/May/2025:08:31:21 /open-source/performance-tuning/tcp.html
154.29.59.135 US, United States 08/May/2025:08:31:21 /open-source/performance-tuning/tcp.html
66.249.72.5 US, United States 08/May/2025:08:30:18 /travel/france/detectives/
52.22.66.203 US, United States 08/May/2025:08:30:15 /travel/usa/new-york-sro-flophouses/bowery-history.html
86.203.79.153 FR, France 08/May/2025:08:30:10 /travel/usa/san-francisco-dashiell-hammett/?s=mb
65.21.113.250 US, United States 08/May/2025:08:30:07 /travel/greece/ios/
65.21.113.250 US, United States 08/May/2025:08:30:05 /travel/belgium/belgian-beers/delirium-tremens.html
65.21.113.250 US, United States 08/May/2025:08:30:03 /robots.txt
65.21.113.250 US, United States 08/May/2025:08:29:58 /travel/italy/driving.html
109.70.142.62 GB, United Kingdom 08/May/2025:08:29:56 /blog/2023/01/03-whats-up-with-my-social-media.html
109.70.142.62 GB, United Kingdom 08/May/2025:08:29:54 /
65.21.113.250 US, United States 08/May/2025:08:29:54 /travel/italy/
65.21.113.250 US, United States 08/May/2025:08:29:50 /travel/
65.21.113.250 US, United States 08/May/2025:08:29:49 /robots.txt
65.21.113.250 US, United States 08/May/2025:08:29:46 /travel/france/detectives/
65.21.113.250 US, United States 08/May/2025:08:29:44 /robots.txt
65.21.113.250 US, United States 08/May/2025:08:29:44 /robots.txt
57.141.4.1 BE, Belgium 08/May/2025:08:29:42 /travel/france/school-lunch-menus/
57.141.4.16 BE, Belgium 08/May/2025:08:29:12 /travel/japan/kagoshima/kagoshima-city/
82.157.192.206 NL, Netherlands 08/May/2025:08:28:55 /open-source/performance-tuning/tcp.html
57.141.4.18 BE, Belgium 08/May/2025:08:28:51 /travel/japan/aizu-wakamatsu/tokyo-to-aizu-wakamatsu/
57.141.4.8 BE, Belgium 08/May/2025:08:28:50 /cybersecurity/isc2-ccsp/applications.html
5.161.187.39 IR, Iran, Islamic Republic of 08/May/2025:08:28:05 /travel/turkey/temple-of-artemis/
57.141.4.5 BE, Belgium 08/May/2025:08:26:57 /travel/belgium/bastogne-ardennes/bastogne.html
57.141.4.2 BE, Belgium 08/May/2025:08:26:54 /travel/usa/mattoon/
135.181.15.80 CA, Canada 08/May/2025:08:26:51 /travel/uk//
51.222.253.7 FR, France 08/May/2025:08:26:23 /open-source/getting-started.html
85.208.109.81 Unknown 08/May/2025:08:26:01 /travel/chile/
49.12.206.6 IN, India 08/May/2025:08:25:46 /travel/turkey/goreme/?s=mb
49.12.206.6 IN, India 08/May/2025:08:25:43 /travel/japan/ise/inner-shrine.html?s=mb
49.12.206.6 IN, India 08/May/2025:08:25:41 /travel/alaska/equinox/?s=mb
49.12.206.6 IN, India 08/May/2025:08:25:39 /travel/russia/moscow.html?s=mb
20.97.189.97 US, United States 08/May/2025:08:25:38 /robots.txt
49.12.206.6 IN, India 08/May/2025:08:25:31 /travel/france/avignon/corrupt-popes.html?s=mb
57.141.4.2 BE, Belgium 08/May/2025:08:25:25 /radio/ic2sat-part-2.html
66.249.72.6 US, United States 08/May/2025:08:25:23 /travel/france/jim-morrison-paris.html
57.141.4.11 BE, Belgium 08/May/2025:08:23:27 /travel/morocco/marrakech/jemaa-el-fnaa.html
113.246.153.69 CN, China 08/May/2025:08:22:54 /open-source/nginx-openssl-quantum-safe/
43.134.229.118 JP, Japan 08/May/2025:08:22:44 /fun/requests-for-quotes/
113.246.153.69 CN, China 08/May/2025:08:22:44 /rss.xml
113.246.153.69 CN, China 08/May/2025:08:22:43 /radio/
113.246.153.69 CN, China 08/May/2025:08:22:41 /rss.xml
113.246.153.69 CN, China 08/May/2025:08:22:38 /cybersecurity/root-password.html
113.246.153.69 CN, China 08/May/2025:08:22:38 /cybersecurity/privacy-policy.html
113.246.153.69 CN, China 08/May/2025:08:22:37 /contact.html
113.246.153.69 CN, China 08/May/2025:08:22:37 /rss.xml
113.246.153.69 CN, China 08/May/2025:08:22:36 /radio/
113.246.153.69 CN, China 08/May/2025:08:22:36 /fun/
113.246.153.69 CN, China 08/May/2025:08:22:36 /cybersecurity/
113.246.153.69 CN, China 08/May/2025:08:22:36 /travel/
113.246.153.69 CN, China 08/May/2025:08:22:36 /travel/
113.246.153.69 CN, China 08/May/2025:08:22:35 /technical/
113.246.153.69 CN, China 08/May/2025:08:22:35 /
113.246.153.69 CN, China 08/May/2025:08:22:35 /blog/
113.246.153.69 CN, China 08/May/2025:08:22:35 /open-source/
113.246.153.69 CN, China 08/May/2025:08:22:34 /networking/
113.246.153.69 CN, China 08/May/2025:08:22:32 /technical/
113.246.153.69 CN, China 08/May/2025:08:22:31 /russian/
113.246.153.69 CN, China 08/May/2025:08:22:31 /turkish/
113.246.153.69 CN, China 08/May/2025:08:22:31 /contact.html
113.246.153.69 CN, China 08/May/2025:08:22:30 /travel/greece/greek/
113.246.153.69 CN, China 08/May/2025:08:22:30 /networking/
113.246.153.69 CN, China 08/May/2025:08:22:30 /3d/histogram/
113.246.153.69 CN, China 08/May/2025:08:22:30 /cybersecurity/
113.246.153.69 CN, China 08/May/2025:08:22:30 /open-source/
113.246.153.69 CN, China 08/May/2025:08:22:29 /3d/xray/
113.246.153.69 CN, China 08/May/2025:08:22:28 /3d/
113.246.153.69 CN, China 08/May/2025:08:22:27 /
113.246.153.69 CN, China 08/May/2025:08:22:25 /
52.22.66.203 US, United States 08/May/2025:08:22:05 /travel/chile/torres-del-paine/Index.html
40.77.167.4 US, United States 08/May/2025:08:22:02 /contact.html
52.167.144.202 US, United States 08/May/2025:08:21:57 /travel/france/boat-trip-canal-lateral-a-la-loire/fleury-sur-loire-to-decize.html
182.161.73.7 SG, Singapore 08/May/2025:08:21:38 /open-source/raspberry-pi/sdr-ads-b-piaware-and-fr24feed.html
51.222.253.13 FR, France 08/May/2025:08:21:25 /cybersecurity/crypto/reading.html
182.161.73.68 SG, Singapore 08/May/2025:08:20:42 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
57.141.4.11 BE, Belgium 08/May/2025:08:20:37 /travel/japan/hakodate/kakinoshima-site/
57.154.175.13 BE, Belgium 08/May/2025:08:20:03 /travel/japan/sapporo/history/
98.97.1.230 US, United States 08/May/2025:08:20:01 /
40.77.167.4 US, United States 08/May/2025:08:19:55 /travel/japan/tokyo-asakusa/
57.141.4.4 BE, Belgium 08/May/2025:08:19:49 /blog/2022/07/03-cybersecurity-certifications.html
3.211.105.134 US, United States 08/May/2025:08:19:42 /cybersecurity/isc2-ccsp/legal.html?s=mc
57.141.4.4 BE, Belgium 08/May/2025:08:19:41 /travel/greece/greek-food.html
57.141.4.18 BE, Belgium 08/May/2025:08:19:32 /open-source/dev-random.html
54.153.33.110 US, United States 08/May/2025:08:19:28 /cybersecurity/exam-prep.html
47.128.124.102 CA, Canada 08/May/2025:08:19:08 /open-source/performance-tuning/tcp.html
173.224.127.69 US, United States 08/May/2025:08:18:47 /open-source/rpm-creation.html
57.141.4.11 BE, Belgium 08/May/2025:08:18:13 /travel/morocco/fez/meknes-to-fez.html
86.97.174.85 AE, United Arab Emirates 08/May/2025:08:17:51 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
51.92.41.71 GB, United Kingdom 08/May/2025:08:17:49 /open-source/python-social-media-automation/?s=mb
52.22.66.203 US, United States 08/May/2025:08:17:42 /technical/samsung-galaxy/ssh.html
40.84.221.228 US, United States 08/May/2025:08:17:29 /open-source/performance-tuning/file-systems.html
86.97.174.85 AE, United Arab Emirates 08/May/2025:08:17:28 /open-source/raspberry-pi/sdr-ads-b-piaware-and-fr24feed.html
178.250.7.65 FR, France 08/May/2025:08:17:18 /open-source/rpm-creation.html
188.245.169.179 IR, Iran, Islamic Republic of 08/May/2025:08:17:17 /cybersecurity/cyberwar/syria.html?s=mc
54.91.246.130 US, United States 08/May/2025:08:16:19 /open-source/rpm-creation.html
162.120.187.23 US, United States 08/May/2025:08:16:08 /open-source/rpm-creation.html
45.95.146.83 Unknown 08/May/2025:08:15:47 /blog/all-forward.html
45.95.146.83 Unknown 08/May/2025:08:15:44 /blog/2024/06/22-easy-automation-thousands-of-changes.html
45.95.146.83 Unknown 08/May/2025:08:15:42 /blog/2025/01/automating-changes-across-thousands-of-files.html
86.203.79.153 FR, France 08/May/2025:08:15:40 /travel/hungary/budapest/?s=mb
45.95.146.83 Unknown 08/May/2025:08:15:39 /blog/all-reverse.html
45.95.146.83 Unknown 08/May/2025:08:15:33 /blog/
45.95.146.83 Unknown 08/May/2025:08:15:29 /cybersecurity/yubikey/
51.222.253.9 FR, France 08/May/2025:08:15:21 /3d/trilobite.html
34.242.127.145 IE, Ireland 08/May/2025:08:15:14 /
192.227.120.199 US, United States 08/May/2025:08:15:13 /
63.35.225.23 US, United States 08/May/2025:08:15:12 /robots.txt
17.241.219.182 US, United States 08/May/2025:08:14:45 /travel/iceland/breidhdalsvik-seydhisfjordhur/
57.141.4.10 BE, Belgium 08/May/2025:08:14:34 /travel/france/avignon/avignon-papacy.html
54.236.1.11 US, United States 08/May/2025:08:13:33 /travel/usa/detroit/

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages