Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

18.210.24.208 US, United States 19/Jan/2020:08:00:32 /robots.txt
199.16.157.181 US, United States 19/Jan/2020:07:59:48 /cybersecurity/availability/storage-longevity.html
199.16.157.181 US, United States 19/Jan/2020:07:59:48 /cybersecurity/hostile/mytob.kb.html
54.36.149.223 FR, France 19/Jan/2020:07:59:30 /radio/hfqrp.html
86.125.21.36 RO, Romania 19/Jan/2020:07:58:53 /cybersecurity/history/cabinet-war-rooms.html
66.249.79.250 US, United States 19/Jan/2020:07:58:34 /cybersecurity/isc2-ccsp/standards-and-regulations.html
183.14.89.148 CN, China 19/Jan/2020:07:58:06 /
72.14.199.248 US, United States 19/Jan/2020:07:58:06 /turkish/verbs.html
183.14.89.148 CN, China 19/Jan/2020:07:57:57 /
17.58.101.13 US, United States 19/Jan/2020:07:57:12 /cybersecurity/netaudit.html
54.152.8.219 US, United States 19/Jan/2020:07:56:54 /travel/usa/new-york-jewish-les/houston-clinton-norfolk.html
91.87.46.255 BE, Belgium 19/Jan/2020:07:56:42 /open-source/torrent-magnet-links.html
172.250.129.241 US, United States 19/Jan/2020:07:56:34 /travel/france/school-lunch-menus/
72.14.199.252 US, United States 19/Jan/2020:07:56:16 /travel/uk/glastonbury/town.html
213.205.198.125 GB, United Kingdom 19/Jan/2020:07:55:53 /travel/uk/glastonbury/town.html
46.229.168.133 US, United States 19/Jan/2020:07:55:32 /travel/greenland/
46.229.168.146 US, United States 19/Jan/2020:07:55:31 /robots.txt
157.55.39.253 US, United States 19/Jan/2020:07:55:14 /radio/power-meter.html
66.249.79.252 US, United States 19/Jan/2020:07:54:51 /open-source/nginx-tls-1.3/
40.77.167.66 US, United States 19/Jan/2020:07:54:50 /travel/usa/new-york-les-stanton/
2.236.51.20 IT, Italy 19/Jan/2020:07:54:28 /open-source/rhel-centos-5-6-7-8/
195.154.179.93 FR, France 19/Jan/2020:07:53:34 /oliver-cromwell/
86.165.15.249 GB, United Kingdom 19/Jan/2020:07:53:28 /travel/uk/dover/
62.178.79.222 AT, Austria 19/Jan/2020:07:53:19 /open-source/performance-tuning/file-systems.html
34.238.174.0 US, United States 19/Jan/2020:07:52:55 /travel/usa/new-york-jewish-les/houston-clinton-norfolk.html
212.129.57.169 FR, France 19/Jan/2020:07:52:46 /oliver-cromwell/crom-fu-fighting.html
72.231.26.150 US, United States 19/Jan/2020:07:52:42 /travel/usa/new-york-jewish-les/houston-clinton-norfolk.html
46.229.168.133 US, United States 19/Jan/2020:07:52:30 /travel/japan/tokyo-harajuku/omotesando.html
49.176.210.25 AU, Australia 19/Jan/2020:07:52:16 /open-source/rhel-centos-5-6-7-8/
17.58.101.13 US, United States 19/Jan/2020:07:52:01 /open-source/nginx-tls-1.3/
172.58.45.192 US, United States 19/Jan/2020:07:51:54 /technical/dsl/
95.217.74.54 FI, Finland 19/Jan/2020:07:51:51 /travel/athens-to-paris/bucharest-gura-humorului.html?s=tb
46.229.168.154 US, United States 19/Jan/2020:07:51:47 /technical/samsung-galaxy/cyanogenmod.html
46.229.168.132 US, United States 19/Jan/2020:07:51:43 /robots.txt
95.217.78.111 FI, Finland 19/Jan/2020:07:50:17 /travel/egypt/sinai.html?s=tb
92.148.38.36 FR, France 19/Jan/2020:07:50:13 /fun/fingerbox/
46.7.196.164 IE, Ireland 19/Jan/2020:07:50:09 /radio/tv-antenna.html
62.178.79.222 AT, Austria 19/Jan/2020:07:50:03 /open-source/performance-tuning/disks.html
92.148.38.36 FR, France 19/Jan/2020:07:49:45 /fun/fingerbox/
42.236.10.116 CN, China 19/Jan/2020:07:48:12 /cybersecurity/hostile/mydoom.m.html
67.11.13.48 US, United States 19/Jan/2020:07:47:49 /travel/usa/north-carolina/
46.229.168.144 US, United States 19/Jan/2020:07:47:49 /travel/greece/ferries.html
18.209.101.170 US, United States 19/Jan/2020:07:47:31 /radio/tv-antenna.html
66.249.79.250 US, United States 19/Jan/2020:07:47:26 /
54.159.167.42 US, United States 19/Jan/2020:07:47:23 /ads.txt
54.159.167.42 US, United States 19/Jan/2020:07:47:22 /robots.txt
17.58.101.13 US, United States 19/Jan/2020:07:46:44 /cybersecurity/Index.html
46.7.196.164 IE, Ireland 19/Jan/2020:07:46:28 /radio/tv-antenna.html
49.40.27.62 IN, India 19/Jan/2020:07:46:23 /open-source/performance-tuning/disks.html
76.170.157.193 US, United States 19/Jan/2020:07:46:19 /fun/fingerbox/
66.249.79.250 US, United States 19/Jan/2020:07:43:43 /fun/lucky-numbers.html
46.229.168.134 US, United States 19/Jan/2020:07:43:41 /travel/china/guangzhou-2.html
212.25.79.133 IL, Israel 19/Jan/2020:07:43:37 /open-source/sendmail-ssl.html
54.89.24.188 US, United States 19/Jan/2020:07:43:15 /travel/usa/north-carolina/
67.11.13.48 US, United States 19/Jan/2020:07:43:11 /travel/usa/north-carolina/
54.210.163.241 US, United States 19/Jan/2020:07:43:08 /travel/usa/new-york-jewish-les/synagogues.html
17.58.101.13 US, United States 19/Jan/2020:07:42:49 /3d/sensor-design.html
54.36.149.217 FR, France 19/Jan/2020:07:42:16 /open-source/font-config-warnings.html
148.64.56.65 GB, United Kingdom 19/Jan/2020:07:40:17 /travel/usa/new-york-jewish-les/synagogues.html
157.55.39.28 US, United States 19/Jan/2020:07:40:07 /robots.txt
66.249.79.248 US, United States 19/Jan/2020:07:40:01 /fun/santaism.html
54.211.42.253 US, United States 19/Jan/2020:07:39:47 /travel/mexico/leon-trotsky.html
66.249.79.252 US, United States 19/Jan/2020:07:39:35 /travel/bulgaria/veliko-tarnovo/
45.48.217.137 US, United States 19/Jan/2020:07:39:24 /travel/mexico/leon-trotsky.html
86.125.21.36 RO, Romania 19/Jan/2020:07:38:06 /cybersecurity/history/
86.125.21.36 RO, Romania 19/Jan/2020:07:38:05 /robots.txt
157.55.39.147 US, United States 19/Jan/2020:07:37:58 /travel/china/class-and-macau.html
54.145.83.106 US, United States 19/Jan/2020:07:37:09 /open-source/windows-xp-with-office-2007.html
66.102.8.189 US, United States 19/Jan/2020:07:37:07 /open-source/windows-xp-with-office-2007.html
34.207.174.204 US, United States 19/Jan/2020:07:37:01 /travel/usa/new-york-jewish-les/synagogues.html
72.231.26.150 US, United States 19/Jan/2020:07:36:46 /travel/usa/new-york-jewish-les/synagogues.html
66.249.79.248 US, United States 19/Jan/2020:07:36:18 /travel/france/normandy/brecourt-manor.html
54.36.150.4 FR, France 19/Jan/2020:07:35:19 /cybersecurity/cyberwar/lebanon.html
118.166.131.184 TW, Taiwan 19/Jan/2020:07:34:57 /open-source/performance-tuning/disks.html
46.229.168.142 US, United States 19/Jan/2020:07:34:41 /travel/usa/new-york-sro-flophouses/bowery-history.html
35.240.26.48 US, United States 19/Jan/2020:07:34:41 /open-source/nginx-tls-1.3/running-tls-1.3.html
46.229.168.144 US, United States 19/Jan/2020:07:34:41 /robots.txt
54.198.29.106 US, United States 19/Jan/2020:07:34:23 /networking/what-is-ipsec.html
128.14.134.170 US, United States 19/Jan/2020:07:34:15 /
189.217.105.225 MX, Mexico 19/Jan/2020:07:34:13 /networking/what-is-ipsec.html
161.253.8.217 US, United States 19/Jan/2020:07:33:35 /travel/france/thomas-jefferson/
17.58.101.13 US, United States 19/Jan/2020:07:33:02 /travel/turkey/selcuk/Index.html
66.249.79.248 US, United States 19/Jan/2020:07:32:36 /travel/greenland/
35.240.26.48 US, United States 19/Jan/2020:07:32:29 /travel/athens-to-paris/bucharest-gura-humorului.html?s=tb
3.94.53.126 US, United States 19/Jan/2020:07:32:22 /travel/france/thomas-jefferson/
161.253.8.217 US, United States 19/Jan/2020:07:32:19 /travel/france/thomas-jefferson/
76.216.234.203 US, United States 19/Jan/2020:07:32:06 /
199.16.157.183 US, United States 19/Jan/2020:07:32:05 /travel/usa/new-york-jewish-les/?s=tweetbot
76.216.234.203 US, United States 19/Jan/2020:07:32:05 /
223.223.185.35 CN, China 19/Jan/2020:07:31:31 /open-source/performance-tuning/disks.html
67.143.128.204 US, United States 19/Jan/2020:07:30:56 /fun/fingerbox/
42.188.147.211 MY, Malaysia 19/Jan/2020:07:30:18 /technical/convert-youtube-to-xvid.html
17.58.101.13 US, United States 19/Jan/2020:07:30:03 /turkish/word-order.html
183.6.129.98 CN, China 19/Jan/2020:07:29:54 /open-source/performance-tuning/disks.html
199.16.157.180 US, United States 19/Jan/2020:07:29:22 /travel/usa/new-york-jewish-les/synagogues.html?s=tweetbot
3.214.209.95 US, United States 19/Jan/2020:07:29:07 /ads.txt
66.249.79.172 US, United States 19/Jan/2020:07:28:53 /open-source/build-packages.html
40.77.167.66 US, United States 19/Jan/2020:07:28:00 /travel/usa/new-york-jewish-les/grand-street.html
40.77.167.66 US, United States 19/Jan/2020:07:27:51 /travel/france/lavomat/
24.21.124.89 US, United States 19/Jan/2020:07:27:03 /open-source/rhel-centos-multimedia.html
144.34.173.106 US, United States 19/Jan/2020:07:26:55 /open-source/sysfs.html
54.36.148.10 FR, France 19/Jan/2020:07:26:27 /travel/bulgaria/sofia/?s=tweetbot
185.136.151.168 IQ, Iraq 19/Jan/2020:07:25:32 /turkish/word-order.html
63.142.205.86 US, United States 19/Jan/2020:07:25:23 /
66.249.79.252 US, United States 19/Jan/2020:07:25:10 /travel/uk/oxford-lewis-tolkien/
54.196.1.216 US, United States 19/Jan/2020:07:24:58 /travel/france/flaneur-market/?s=tb
54.36.150.1 FR, France 19/Jan/2020:07:24:20 /travel/japan/kamakura/yagura.html?s=tweetbot
38.131.99.251 US, United States 19/Jan/2020:07:24:09 /open-source/performance-tuning/ethernet.html
196.52.2.117 US, United States 19/Jan/2020:07:23:28 /open-source/performance-tuning/tcp.html
203.106.120.175 MY, Malaysia 19/Jan/2020:07:23:18 /technical/convert-youtube-to-xvid.html
71.205.215.19 US, United States 19/Jan/2020:07:23:14 /fun/fingerbox/
86.163.56.13 GB, United Kingdom 19/Jan/2020:07:22:54 /travel/athens-to-paris/
197.184.197.121 ZA, South Africa 19/Jan/2020:07:22:32 /travel/turkey/pamukkale/

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages