Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.237.31.191 US, United States 23/Sep/2023:09:50:15 /robots.txt
66.249.79.6 US, United States 23/Sep/2023:09:50:09 /travel/uk/national-grid-os-maps/?s=mb
104.238.20.142 US, United States 23/Sep/2023:09:50:08 /travel/russia/getting-there.html?s=tweetbot
42.236.17.68 CN, China 23/Sep/2023:09:49:50 /open-source/rhel-oracle-centos-6-7-8-9/users-groups.html
185.191.171.8 MD, Moldova, Republic of 23/Sep/2023:09:49:45 /cybersecurity/root-password.html
216.244.66.242 US, United States 23/Sep/2023:09:49:27 /travel/greece/meteora.html?s=tweetbot
188.126.45.43 RU, Russian Federation 23/Sep/2023:09:48:32 /open-source/tar-and-ssh.html
51.222.253.19 FR, France 23/Sep/2023:09:48:12 /travel/france/boat/tying-up-and-weather.html?s=tweetbot
66.249.79.6 US, United States 23/Sep/2023:09:48:10 /travel/belgium/belgian-beers/delirium-tremens.html
121.58.21.156 CN, China 23/Sep/2023:09:47:23 /cybersecurity/hostile/gibe-f-worm.html
17.241.227.230 US, United States 23/Sep/2023:09:45:32 /travel/usa/new-york-sro-flophouses/vigilant.html
82.66.174.44 FR, France 23/Sep/2023:09:45:26 /open-source/performance-tuning/nfs.html
209.126.117.74 US, United States 23/Sep/2023:09:45:05 /travel/france/boat/boat-handling-and-locks.html
204.15.208.37 Unknown 23/Sep/2023:09:45:01 /radio/copper-wire/
51.222.253.9 FR, France 23/Sep/2023:09:44:27 /open-source/openbsd-wireless-wpa2.html
66.249.79.5 US, United States 23/Sep/2023:09:44:22 /networking/terminology.html
185.191.171.15 MD, Moldova, Republic of 23/Sep/2023:09:44:14 /travel/france/loire-valley/
54.162.115.242 US, United States 23/Sep/2023:09:44:12 /
185.191.171.8 MD, Moldova, Republic of 23/Sep/2023:09:44:11 /travel/greece/kos/
17.241.75.172 US, United States 23/Sep/2023:09:43:49 /open-source/linux-amd-ryzen-gpu/
175.196.0.33 KR, Korea, Republic of 23/Sep/2023:09:43:29 /open-source/raspberry-pi/sdr-getting-started.html
110.169.220.11 TH, Thailand 23/Sep/2023:09:43:25 /open-source/performance-tuning/file-systems.html
54.166.7.90 US, United States 23/Sep/2023:09:42:54 /radio/9-1-unun/
54.163.37.67 US, United States 23/Sep/2023:09:42:05 /open-source/raspberry-pi/sdr-getting-started.html
54.237.206.73 US, United States 23/Sep/2023:09:41:40 /
66.249.79.7 US, United States 23/Sep/2023:09:41:33 /networking/terminology.html
104.238.20.60 US, United States 23/Sep/2023:09:41:08 /travel/greece/greek-mainland.html?s=tb
111.225.148.181 CN, China 23/Sep/2023:09:40:49 /travel/japan/aizu-wakamatsu/otsukayama-kofun/
111.225.148.144 CN, China 23/Sep/2023:09:40:33 /open-source/raspberry-pi/openvas.html
95.108.213.175 RU, Russian Federation 23/Sep/2023:09:40:30 /travel/greece/crete/
174.216.215.70 US, United States 23/Sep/2023:09:40:24 /travel/usa/new-york-fictional-architecture/upper-west-side.html
47.128.33.118 CA, Canada 23/Sep/2023:09:40:22 /cybersecurity/generalinfo.html
52.7.101.215 US, United States 23/Sep/2023:09:40:22 /travel/athens-to-paris/veliko-tarnovo-bucharest.html?s=mb
18.232.58.230 US, United States 23/Sep/2023:09:40:16 /
174.216.215.70 US, United States 23/Sep/2023:09:40:14 /travel/usa/new-york-fictional-architecture/upper-west-side.html
111.225.149.131 CN, China 23/Sep/2023:09:40:05 /travel/belgium/bastogne-ardennes/?s=mb
92.7.208.232 GB, United Kingdom 23/Sep/2023:09:39:58 /travel/uk/scapa-flow/
74.208.177.94 US, United States 23/Sep/2023:09:39:55 /travel/morocco/tangier/casablanca-to-tangier.html
92.7.208.232 GB, United Kingdom 23/Sep/2023:09:39:53 /travel/uk/scapa-flow/
199.168.150.161 US, United States 23/Sep/2023:09:39:52 /
92.7.208.232 GB, United Kingdom 23/Sep/2023:09:39:51 /travel/uk/scapa-flow/
95.216.236.86 FI, Finland 23/Sep/2023:09:39:19 /contact.html
95.216.236.86 FI, Finland 23/Sep/2023:09:39:17 /cybersecurity/hostile/gibe-f-worm.html
66.249.79.6 US, United States 23/Sep/2023:09:38:44 /fun/requests-for-quotes/seman-peru/
66.249.79.168 US, United States 23/Sep/2023:09:38:42 /travel/japan/koyasan/okunoin-cemetery.html
5.255.231.183 RU, Russian Federation 23/Sep/2023:09:38:37 /turkish/verbs.html
213.180.203.74 RU, Russian Federation 23/Sep/2023:09:38:37 /travel/usa/us-wash-masonic.html
213.180.203.174 RU, Russian Federation 23/Sep/2023:09:38:36 /travel/usa/new-york-st-marks-place/
95.108.213.104 RU, Russian Federation 23/Sep/2023:09:38:35 /travel/turkey/halicarnassus/
34.242.120.73 IE, Ireland 23/Sep/2023:09:38:18 /travel/france/budget-hotels/
51.222.253.14 FR, France 23/Sep/2023:09:38:10 /travel/romania/bucharest/
185.191.171.12 MD, Moldova, Republic of 23/Sep/2023:09:36:57 /travel/egypt/sinai.html
212.34.30.61 JO, Jordan 23/Sep/2023:09:36:48 /
212.34.30.61 JO, Jordan 23/Sep/2023:09:36:48 /
134.209.152.244 US, United States 23/Sep/2023:09:36:32 /radio/copper-wire/?s=mb
34.242.120.73 IE, Ireland 23/Sep/2023:09:36:23 /travel/uk/glastonbury/chalice-spring-tor.html
134.209.152.244 US, United States 23/Sep/2023:09:36:21 /technical/current-box.html?s=mb
152.67.128.219 US, United States 23/Sep/2023:09:36:19 /travel/france/budget-hotels/
35.173.183.11 US, United States 23/Sep/2023:09:36:14 /travel/france/pierre-tourneresse/
66.249.79.7 US, United States 23/Sep/2023:09:36:09 /fun/requests-for-quotes/seman-peru/
35.174.18.8 US, United States 23/Sep/2023:09:36:08 /travel/uk/orkney-sousterrain/
52.87.198.105 US, United States 23/Sep/2023:09:36:08 /travel/france/provence-megaliths/
52.87.198.105 US, United States 23/Sep/2023:09:36:07 /travel/uk/skara-brae/
35.173.183.11 US, United States 23/Sep/2023:09:36:05 /travel/uk/orkney-neolithic/maeshowe.html
54.218.37.89 US, United States 23/Sep/2023:09:36:03 /
44.218.102.77 US, United States 23/Sep/2023:09:35:44 /networking/commands.html
44.218.102.77 US, United States 23/Sep/2023:09:35:42 /robots.txt
34.195.212.30 US, United States 23/Sep/2023:09:35:34 /open-source/performance-tuning/ethernet.html
162.19.58.107 US, United States 23/Sep/2023:09:35:32 /open-source/thunderbird-default-browser.html?s=mc
74.119.119.205 US, United States 23/Sep/2023:09:35:26 /travel/uk/glastonbury/chalice-spring-tor.html
182.161.74.71 SG, Singapore 23/Sep/2023:09:35:16 /travel/uk/glastonbury/chalice-spring-tor.html
52.7.101.215 US, United States 23/Sep/2023:09:34:57 /travel/hungary/budapest/?s=mb
185.191.171.7 MD, Moldova, Republic of 23/Sep/2023:09:34:34 /travel/usa/north-carolina/
14.203.54.240 AU, Australia 23/Sep/2023:09:34:32 /travel/uk/glastonbury/chalice-spring-tor.html
74.6.168.252 US, United States 23/Sep/2023:09:34:30 /travel/egypt/aswan.html
3.88.54.0 US, United States 23/Sep/2023:09:34:29 /travel/france/budget-hotels/
85.25.237.15 DE, Germany 23/Sep/2023:09:34:29 /travel/france/budget-hotels/
54.166.252.171 US, United States 23/Sep/2023:09:34:28 /travel/france/budget-hotels/
163.47.56.247 AU, Australia 23/Sep/2023:09:34:20 /travel/france/budget-hotels/
178.250.1.66 FR, France 23/Sep/2023:09:34:09 /technical/dsl/
79.218.139.244 DE, Germany 23/Sep/2023:09:33:49 /technical/dsl/
185.191.171.6 MD, Moldova, Republic of 23/Sep/2023:09:33:27 /travel/france/boat/tying-up-and-weather.html
66.249.79.7 US, United States 23/Sep/2023:09:33:07 /travel/russia/
34.195.212.30 US, United States 23/Sep/2023:09:32:51 /cybersecurity/isc2-ccsp/
34.240.42.170 IE, Ireland 23/Sep/2023:09:32:42 /
66.249.79.7 US, United States 23/Sep/2023:09:32:16 /open-source/performance-tuning/nfs.html
51.222.253.7 FR, France 23/Sep/2023:09:31:58 /travel/usa/philadelphia/
95.186.17.230 SA, Saudi Arabia 23/Sep/2023:09:31:55 /turkish/word-order.html
31.104.21.49 GB, United Kingdom 23/Sep/2023:09:29:41 /travel/france/normandy/pegasus-bridge.html
31.104.21.49 GB, United Kingdom 23/Sep/2023:09:29:22 /travel/france/normandy/pegasus-bridge.html
35.175.92.196 US, United States 23/Sep/2023:09:29:16 /travel/france/marseille/vieux-port.html
54.234.9.78 US, United States 23/Sep/2023:09:29:15 /travel/france/school-lunch-menus/
216.244.66.242 US, United States 23/Sep/2023:09:29:00 /travel/trinidad/job.html
216.244.66.242 US, United States 23/Sep/2023:09:28:53 /open-source/windows-path.html
137.184.184.45 US, United States 23/Sep/2023:09:28:14 /
74.6.168.252 US, United States 23/Sep/2023:09:28:08 /robots.txt
204.15.208.30 Unknown 23/Sep/2023:09:27:52 /travel/uk/orkney-sousterrain/
82.66.47.96 FR, France 23/Sep/2023:09:27:39 /open-source/performance-tuning/file-systems.html
157.55.39.61 US, United States 23/Sep/2023:09:27:09 /cybersecurity/isc2-ccsp/?s=tb
66.249.79.5 US, United States 23/Sep/2023:09:26:58 /travel/alaska/november/
109.206.148.242 RU, Russian Federation 23/Sep/2023:09:26:24 /open-source/samba-active-directory/deployment.html
66.249.79.7 US, United States 23/Sep/2023:09:26:14 /cybersecurity/crypto/cipher-strength.html
17.241.75.245 US, United States 23/Sep/2023:09:25:51 /travel/france/seine-river-art-history-monet/chateau-gaillard.html
37.111.138.159 PK, Pakistan 23/Sep/2023:09:25:19 /technical/dsl/
51.222.253.15 FR, France 23/Sep/2023:09:25:19 /travel/greece/meteora.html
216.244.66.242 US, United States 23/Sep/2023:09:24:17 /robots.txt
216.244.66.242 US, United States 23/Sep/2023:09:24:17 /robots.txt
193.186.4.64 IE, Ireland 23/Sep/2023:09:23:54 /travel/turkey/konya/
66.249.79.5 US, United States 23/Sep/2023:09:23:53 /open-source/vim-word-count.html
72.14.201.64 US, United States 23/Sep/2023:09:23:21 /travel/uk/orkney-sousterrain/
213.180.203.199 RU, Russian Federation 23/Sep/2023:09:22:59 /travel/alaska/equinox/
91.66.158.15 DE, Germany 23/Sep/2023:09:22:58 /open-source/raspberry-pi/sdr-getting-started.html
209.126.120.145 US, United States 23/Sep/2023:09:22:35 /cybersecurity/crypto/diffie-hellman.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages