Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.223.183.74 US, United States 27/May/2022:05:15:38 /cybersecurity/history/uss-chaumont/history.html
34.207.241.106 US, United States 27/May/2022:05:15:37 /ads.txt
34.207.241.106 US, United States 27/May/2022:05:15:37 /robots.txt
54.211.174.23 US, United States 27/May/2022:05:15:37 /cybersecurity/history/uss-chaumont/history.html
152.44.203.61 US, United States 27/May/2022:05:15:29 /cybersecurity/history/uss-chaumont/history.html
152.44.203.61 US, United States 27/May/2022:05:15:28 /cybersecurity/history/uss-chaumont/history.html
17.121.114.209 US, United States 27/May/2022:05:15:25 /open-source/ssh-5-monitoring.html
54.156.8.33 US, United States 27/May/2022:05:14:43 /travel/belgium/bastogne-ardennes/houffalize-malmedy-st-hubert.html
103.131.71.37 Unknown 27/May/2022:05:14:38 /robots.txt
44.192.25.113 US, United States 27/May/2022:05:14:12 /travel/france/flaneur-seine-banks/
185.191.171.18 MD, Moldova, Republic of 27/May/2022:05:13:36 /3d/archaeology.html
140.238.95.47 US, United States 27/May/2022:05:12:43 /open-source/virtualization.html
66.249.79.9 US, United States 27/May/2022:05:12:26 /travel/turkey/aphrodisias/Index.html
132.145.64.33 US, United States 27/May/2022:05:12:19 /travel/greece/greek-mainland.html
132.145.66.116 US, United States 27/May/2022:05:12:18 /travel/greece/greek-mainland.html?s=tb
167.114.119.164 CA, Canada 27/May/2022:05:12:17 /travel/russia/sankt-peterburg.html
157.55.39.222 US, United States 27/May/2022:05:12:15 /open-source/sysfs.html
207.38.88.223 US, United States 27/May/2022:05:12:06 /open-source/rhel-oracle-centos-5-6-7-8/logging.html
44.192.25.113 US, United States 27/May/2022:05:12:04 /steampunk/
44.192.25.113 US, United States 27/May/2022:05:12:04 /robots.txt
74.119.119.57 US, United States 27/May/2022:05:11:03 /travel/greece/greek-mainland.html
114.119.143.174 CN, China 27/May/2022:05:11:01 /open-source/rhel-oracle-centos-5-6-7-8/network-services.html
199.166.0.116 US, United States 27/May/2022:05:11:00 /travel/greece/greek-mainland.html?s=tb
54.197.220.252 US, United States 27/May/2022:05:10:59 /travel/greece/greek-mainland.html?s=tb
54.197.220.252 US, United States 27/May/2022:05:10:59 /robots.txt
54.81.48.4 US, United States 27/May/2022:05:10:58 /travel/greece/greek-mainland.html?s=tb
172.58.189.37 US, United States 27/May/2022:05:10:51 /travel/greece/greek-mainland.html?s=tb
199.59.150.182 US, United States 27/May/2022:05:10:46 /travel/uk/avebury/?s=tb
182.161.74.69 SG, Singapore 27/May/2022:05:10:38 /travel/greece/santorini.html
50.113.89.168 US, United States 27/May/2022:05:10:27 /open-source/raspberry-pi/openvas.html
212.5.205.202 SK, Slovakia 27/May/2022:05:10:21 /networking/netstat-a.html
66.249.79.11 US, United States 27/May/2022:05:10:18 /travel/greece/tiryns.html
103.3.82.100 PH, Philippines 27/May/2022:05:10:09 /travel/greece/santorini.html
78.173.3.114 TR, Turkey 27/May/2022:05:09:22 /turkish/turkish-verbs.pdf
87.250.224.109 RU, Russian Federation 27/May/2022:05:09:18 /
152.39.146.244 US, United States 27/May/2022:05:08:05 /travel/syria/palmyra.html
95.215.37.7 UA, Ukraine 27/May/2022:05:08:04 /robots.txt
73.20.103.24 US, United States 27/May/2022:05:08:03 /technical/dsl/
3.85.95.242 US, United States 27/May/2022:05:07:51 /travel/syria/palmyra.html
216.24.45.27 US, United States 27/May/2022:05:07:46 /travel/syria/palmyra.html
120.21.69.66 AU, Australia 27/May/2022:05:07:22 /technical/dsl/
192.99.232.216 CA, Canada 27/May/2022:05:07:19 /travel/japan/kamakura/yagura.html
35.230.147.151 US, United States 27/May/2022:05:06:45 /travel/japan/kamakura/
78.173.3.114 TR, Turkey 27/May/2022:05:06:13 /turkish/turkish-suffixes.html
149.202.141.140 FR, France 27/May/2022:05:05:16 /travel/uk/lee-ho-fook/?s=tb
51.161.115.226 FR, France 27/May/2022:05:05:08 /travel/uk/scotland-isle-of-iona/iona.html
140.238.94.137 US, United States 27/May/2022:05:04:28 /open-source/performance-tuning/file-systems.html
167.114.159.149 CA, Canada 27/May/2022:05:03:14 /travel/japan/kamakura/tachinomiya.html
91.197.39.51 Unknown 27/May/2022:05:02:54 /travel/france/marseille/vieux-port.html?s=tb
154.13.65.2 US, United States 27/May/2022:05:02:52 /travel/france/marseille/vieux-port.html?s=tb
114.119.143.207 CN, China 27/May/2022:05:02:18 /travel/japan/kofun/empress-koken.html
95.163.255.194 RU, Russian Federation 27/May/2022:05:02:10 /cybersecurity/hostile/downloader.html
40.77.167.5 US, United States 27/May/2022:05:02:00 /travel/bulgaria/sofia/?s=tweetbot
87.250.224.109 RU, Russian Federation 27/May/2022:05:01:19 /robots.txt
51.222.42.126 FR, France 27/May/2022:05:00:52 /travel/chile/constitucion/
54.236.1.13 US, United States 27/May/2022:05:00:01 /travel/greece/orthodox-shrines.html
199.16.157.183 US, United States 27/May/2022:04:59:59 /robots.txt
209.126.120.178 US, United States 27/May/2022:04:59:50 /networking/ip-addresses-and-subnets.html
66.249.79.9 US, United States 27/May/2022:04:59:21 /fun/requests-for-quotes/marlow-willard/
158.69.241.161 CA, Canada 27/May/2022:04:59:09 /travel/bulgaria/sofia/
69.194.143.140 US, United States 27/May/2022:04:58:47 /ads.txt
69.194.143.140 US, United States 27/May/2022:04:58:47 /ads.txt
211.249.46.159 KR, Korea, Republic of 27/May/2022:04:58:44 /travel/uk/ben-nevis/
167.114.173.221 CA, Canada 27/May/2022:04:58:41 /travel/china/guangzhou-2.html
54.156.8.33 US, United States 27/May/2022:04:58:13 /open-source/windows-path.html
188.138.9.37 DE, Germany 27/May/2022:04:57:16 /travel/italy/amalfi/
38.32.104.222 US, United States 27/May/2022:04:57:08 /open-source/performance-tuning/tcp.html
54.156.8.33 US, United States 27/May/2022:04:56:30 /travel/uk/glastonbury/chalice-spring-tor.html
91.143.80.66 DE, Germany 27/May/2022:04:56:05 /travel/egypt/giza.html
144.217.71.169 CA, Canada 27/May/2022:04:56:04 /travel/japan/nara/
114.119.143.187 CN, China 27/May/2022:04:54:52 /travel/japan/kofun/ishibutai.html
178.176.113.147 RU, Russian Federation 27/May/2022:04:54:50 /turkish/
66.249.79.9 US, United States 27/May/2022:04:54:30 /text/reports/2gmars.3.txt
204.15.208.30 Unknown 27/May/2022:04:53:09 /fun/sarah-palin-baby-name-generator-reloaded.html
188.138.9.109 DE, Germany 27/May/2022:04:53:03 /open-source/samba-active-directory/deployment.html
220.181.108.166 CN, China 27/May/2022:04:52:58 /contact.html
95.163.255.150 RU, Russian Federation 27/May/2022:04:52:55 /open-source/linux-break-in-howto.html
197.87.159.223 ZA, South Africa 27/May/2022:04:51:33 /open-source/performance-tuning/disks.html
17.121.112.123 US, United States 27/May/2022:04:51:03 /cybersecurity/elliptic-curve-cryptography/elliptic-curves.html
72.201.24.164 US, United States 27/May/2022:04:50:55 /
174.209.210.75 US, United States 27/May/2022:04:50:33 /fun/sarah-palin-baby-name-generator-reloaded.html
66.249.79.9 US, United States 27/May/2022:04:49:45 /travel/uk/harwell-glider-base/
5.255.253.184 RU, Russian Federation 27/May/2022:04:48:23 /robots.txt
5.255.253.184 RU, Russian Federation 27/May/2022:04:48:19 /robots.txt
95.163.255.164 RU, Russian Federation 27/May/2022:04:47:36 /open-source/linux-amd-ryzen-gpu/
95.163.255.152 RU, Russian Federation 27/May/2022:04:47:34 /robots.txt
114.119.143.18 CN, China 27/May/2022:04:47:30 /travel/china/class-and-macau.html
142.4.217.87 CA, Canada 27/May/2022:04:46:34 /travel/italy/napoli/
78.135.26.36 CY, Cyprus 27/May/2022:04:46:27 /
45.21.68.251 US, United States 27/May/2022:04:46:19 /technical/samsung-galaxy/secret-code.html
170.231.46.59 BR, Brazil 27/May/2022:04:45:57 /open-source/performance-tuning/nfs.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages