Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

64.124.8.58 US, United States 07/Feb/2023:20:22:10 /networking/what-is-ipsec.html
64.124.8.58 US, United States 07/Feb/2023:20:21:59 /cybersecurity/comsec.html
140.238.95.199 US, United States 07/Feb/2023:20:21:56 /travel/uk/the-road-to-the-isles/
149.34.244.178 US, United States 07/Feb/2023:20:21:55 /?q=mimmfinity.com
18.224.51.214 US, United States 07/Feb/2023:20:21:48 /open-source/digital-camera.html
152.67.137.35 US, United States 07/Feb/2023:20:21:46 /travel/uk/the-road-to-the-isles/
3.235.28.166 US, United States 07/Feb/2023:20:21:29 /russian/
220.77.118.246 KR, Korea, Republic of 07/Feb/2023:20:21:14 /travel/usa/new-york-ottoman-sultan/?s=mb
3.87.177.87 US, United States 07/Feb/2023:20:21:12 /sitemap.txt
3.87.177.87 US, United States 07/Feb/2023:20:21:12 /sitemap.txt
58.98.83.171 JP, Japan 07/Feb/2023:20:20:53 /travel/poland/?s=mb
94.237.124.145 FI, Finland 07/Feb/2023:20:20:44 /travel/uk/the-road-to-the-isles/
94.237.124.145 FI, Finland 07/Feb/2023:20:20:43 /travel/uk/the-road-to-the-isles/
52.30.198.78 IE, Ireland 07/Feb/2023:20:20:42 /travel/uk/the-road-to-the-isles/
114.111.32.183 KR, Korea, Republic of 07/Feb/2023:20:20:39 /travel/france/paris-marais/
82.168.241.64 NL, Netherlands 07/Feb/2023:20:20:36 /travel/uk/the-road-to-the-isles/
54.162.178.130 US, United States 07/Feb/2023:20:20:29 /networking/cisco.html
5.173.225.47 PL, Poland 07/Feb/2023:20:20:18 /open-source/performance-tuning/nfs.html
44.192.247.184 US, United States 07/Feb/2023:20:19:57 /3d/3d-sensor.html
44.192.247.184 US, United States 07/Feb/2023:20:19:57 /robots.txt
184.59.37.36 US, United States 07/Feb/2023:20:19:54 /open-source/performance-tuning/disks.html
204.15.208.33 Unknown 07/Feb/2023:20:19:50 /cybersecurity/telecom-outages.html
49.7.20.89 CN, China 07/Feb/2023:20:19:42 /travel/japan/fukuoka/
37.76.14.185 HU, Hungary 07/Feb/2023:20:19:42 /open-source/grub-vga-modes.html
104.28.30.74 US, United States 07/Feb/2023:20:19:34 /travel/usa/new-york-skate-manhattan/
66.249.77.41 US, United States 07/Feb/2023:20:19:20 /travel/lithuania/?N=A
192.58.125.27 US, United States 07/Feb/2023:20:19:16 /
192.58.125.27 US, United States 07/Feb/2023:20:19:14 /
79.109.11.124 ES, Spain 07/Feb/2023:20:19:12 /radio/probes.html
135.125.219.72 US, United States 07/Feb/2023:20:19:05 /travel/syria/damascus.html?s=tb
17.241.227.48 US, United States 07/Feb/2023:20:18:41 /travel/uk/ben-nevis/
44.226.52.181 US, United States 07/Feb/2023:20:18:34 /travel/syria/damascus.html?s=mb
3.94.249.181 US, United States 07/Feb/2023:20:18:32 /radio/nc2030-qrp-transceiver/
95.217.231.154 FI, Finland 07/Feb/2023:20:18:29 /travel/syria/damascus.html?s=tb
3.17.81.226 US, United States 07/Feb/2023:20:18:25 /open-source/virtualization.html
169.145.40.8 US, United States 07/Feb/2023:20:18:20 /open-source/performance-tuning/tcp.html
123.125.109.101 CN, China 07/Feb/2023:20:18:16 /cybersecurity/html-email.html
80.61.90.197 NL, Netherlands 07/Feb/2023:20:18:13 /cybersecurity/crypto/diffie-hellman.html?s=mb
169.145.40.8 US, United States 07/Feb/2023:20:18:07 /open-source/performance-tuning/tcp.html
54.161.31.15 US, United States 07/Feb/2023:20:17:46 /travel/mexico/leon-trotsky.html
70.52.19.128 CA, Canada 07/Feb/2023:20:17:45 /travel/japan/kyoto/temples/?s=mb
70.52.19.128 CA, Canada 07/Feb/2023:20:17:40 /travel/syria/damascus.html?s=mb
217.123.16.10 NL, Netherlands 07/Feb/2023:20:17:17 /cybersecurity/comptia/Index.html?s=tc
192.133.77.16 US, United States 07/Feb/2023:20:17:01 /cybersecurity/basics/02-smart-phone-and-tablet.html?s=tb
199.16.157.183 US, United States 07/Feb/2023:20:17:00 /cybersecurity/basics/02-smart-phone-and-tablet.html?s=tb
34.219.73.208 US, United States 07/Feb/2023:20:16:54 /open-source/rpm-creation.html
207.46.13.10 US, United States 07/Feb/2023:20:16:54 /travel/uk/glastonbury/
87.249.25.136 RU, Russian Federation 07/Feb/2023:20:16:51 /russian/latex.html
66.205.91.40 US, United States 07/Feb/2023:20:16:42 /open-source/performance-tuning/disks.html
199.46.188.15 AU, Australia 07/Feb/2023:20:16:38 /open-source/performance-tuning/nfs.html
52.15.188.132 US, United States 07/Feb/2023:20:16:33 /travel/japan/kyoto/temples/?s=mb
52.15.188.132 US, United States 07/Feb/2023:20:16:30 /travel/poland/?s=mb
52.15.188.132 US, United States 07/Feb/2023:20:16:29 /travel/usa/new-york-ottoman-sultan/?s=mb
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /travel/france/flaneur-seine-banks/
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /travel/japan/ise/inner-shrine.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /travel/japan/kamakura/kamakura.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /steampunk/
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /radio/tek2445a.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /open-source/unix-tips.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /open-source/rhel-oracle-centos-multimedia.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /cybersecurity/hostile/manitowoc-bank-scam.html
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /travel/usa/baltimore/
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /open-source/linux-amd-ryzen-gpu/
52.167.144.78 US, United States 07/Feb/2023:20:16:09 /cybersecurity/basics/all.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /open-source/google-freebsd-tls/tls-certificate.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /open-source/canon-pixma-printer-scanner.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /travel/japan/shinto-buddhism/shinto.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /cybersecurity/www.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /travel/france/boat-trip-canal-lateral-a-la-loire/fleury-sur-loire-to-decize.html
52.167.144.78 US, United States 07/Feb/2023:20:16:08 /cybersecurity/telecom-outages.html
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:16:05 /open-source/performance-tuning/file-systems.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /travel/france/normandy/brecourt-manor.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /travel/greece/paros.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /technical/quickdisk-recovery.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /travel/greece/patmos/skala.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /cybersecurity/major-breaches.html
52.167.144.37 US, United States 07/Feb/2023:20:15:52 /travel/greece/santorini.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /open-source/nginx-tls-1.3/security-performance-nginx.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /travel/syria/palmyra.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /open-source/nginx-tls-1.3/
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /cybersecurity/crypto/hash.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /cybersecurity/cipher-selection.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /travel/usa/venice-california/
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /networking/
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /fun/brilliant-movie-ideas/unholy-unions.html
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /cybersecurity/
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /3d/histogram/
52.167.144.37 US, United States 07/Feb/2023:20:15:51 /travel/france/boat-trip-canal-lateral-a-la-loire/beaulieu-sur-loire-to-st-thibault.html
132.145.15.209 US, United States 07/Feb/2023:20:15:42 /open-source/linux-amd-ryzen-gpu/
74.119.118.20 US, United States 07/Feb/2023:20:15:41 /travel/usa/new-york-sro-flophouses/
140.238.83.181 US, United States 07/Feb/2023:20:15:41 /open-source/linux-amd-ryzen-gpu/
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:15:40 /cybersecurity/isc2-ccsp/cloud-data-security.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/france/school-lunch-menus/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /technical/search-engine-optimization-howto.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /technical/dct-2000.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/italy/napoli/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/japan/tokyo-akihabara/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /cybersecurity/isc2-cissp/domain-1-security-risk-management.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /radio/circuit-board.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /cybersecurity/history/bwi.html
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/romania/bucovina-gura-humorului/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/turkey/goreme/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/usa/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/usa/new-york-obama/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /travel/usa/san-francisco-haight-ashbury/
207.46.13.10 US, United States 07/Feb/2023:20:15:37 /3d/sensor-design.html
212.85.67.30 SE, Sweden 07/Feb/2023:20:15:36 /travel/syria/damascus.html?s=mb
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:15:28 /radio/power-meter.html
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:15:22 /robots.txt
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/france/provence-megaliths/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/greece/greek-islands.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/belgium/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/athens-to-paris/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /radio/propagation.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/latvia/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /open-source/torrent-magnet-links.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/hostile/win.trojan.upatre.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/mexico/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/hardware.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/uk/edinburgh/
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /travel/uk/glastonbury/chalice-spring-tor.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/crypto/culture.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /open-source/compiling-opencv-on-openbsd.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/basics/04-passwords.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /fun/brilliant-movie-ideas/deja-viewed.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/ssl-tls.html
207.46.13.106 US, United States 07/Feb/2023:20:15:19 /cybersecurity/password-breaking.html
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:15:16 /fun/brilliant-movie-ideas/no-worse.html
211.249.246.182 KR, Korea, Republic of 07/Feb/2023:20:15:15 /robots.txt
51.161.119.139 FR, France 07/Feb/2023:20:15:11 /travel/syria/damascus.html?s=mb
195.201.25.153 DE, Germany 07/Feb/2023:20:15:08 /travel/syria/damascus.html?s=mb
66.249.77.43 US, United States 07/Feb/2023:20:15:07 /travel/japan/logistics/point-and-call/Index.html
5.161.44.231 IR, Iran, Islamic Republic of 07/Feb/2023:20:15:05 /travel/syria/damascus.html?s=mb
5.161.147.161 IR, Iran, Islamic Republic of 07/Feb/2023:20:15:04 /travel/syria/damascus.html?s=mb
78.143.68.141 DK, Denmark 07/Feb/2023:20:15:03 /travel/syria/damascus.html?s=mb
54.73.83.127 IE, Ireland 07/Feb/2023:20:15:02 /travel/syria/damascus.html?s=mb
144.76.90.220 DE, Germany 07/Feb/2023:20:15:01 /travel/syria/damascus.html?s=mb
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/china/logistics-and-language.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/chile/la-serena/
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/france/loire-valley/chinon.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/bulgaria/veliko-tarnovo/
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/greece/thessaloniki.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /steampunk/mobile-soviet-telephone.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/japan/kofun/ishibutai.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /open-source/sendmail-ssl.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /cybersecurity/cyberwar/usa.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /cybersecurity/cyberwar/china.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/uk/orkney-neolithic/
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /cybersecurity/basics/07-social-media.html
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /oliver-cromwell/
157.55.39.142 US, United States 07/Feb/2023:20:15:01 /travel/usa/new-york-harbor/
66.175.221.82 US, United States 07/Feb/2023:20:15:01 /travel/syria/damascus.html?s=mb
157.55.39.142 US, United States 07/Feb/2023:20:15:00 /oliver-cromwell/
157.55.39.142 US, United States 07/Feb/2023:20:15:00 /networking/routing.html
157.55.39.142 US, United States 07/Feb/2023:20:15:00 /travel/usa/transport.html
157.55.39.142 US, United States 07/Feb/2023:20:15:00 /turkish/background.html
185.132.179.22 AE, United Arab Emirates 07/Feb/2023:20:14:59 /travel/syria/damascus.html?s=mb
209.221.142.114 US, United States 07/Feb/2023:20:14:59 /travel/syria/damascus.html?s=mb
162.19.31.97 US, United States 07/Feb/2023:20:14:58 /travel/syria/damascus.html?s=mb
195.117.15.33 PL, Poland 07/Feb/2023:20:14:57 /travel/syria/damascus.html?s=mb
54.39.85.82 CA, Canada 07/Feb/2023:20:14:57 /travel/syria/damascus.html?s=mb
185.250.56.35 CH, Switzerland 07/Feb/2023:20:14:57 /travel/syria/damascus.html?s=mb
185.199.222.29 GB, United Kingdom 07/Feb/2023:20:14:56 /travel/syria/damascus.html?s=mb
45.79.239.147 US, United States 07/Feb/2023:20:14:56 /travel/syria/damascus.html?s=mb
65.108.104.219 US, United States 07/Feb/2023:20:14:55 /travel/syria/damascus.html?s=mb
138.201.19.143 DE, Germany 07/Feb/2023:20:14:55 /travel/syria/damascus.html?s=mb

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages