Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

34.235.143.190 US, United States 18/Jun/2019:14:38:56 /robots.txt
129.85.200.111 US, United States 18/Jun/2019:14:38:54 /technical/hp-printer-ready-message.html
107.77.225.155 US, United States 18/Jun/2019:14:38:07 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
157.55.39.25 US, United States 18/Jun/2019:14:38:07 /robots.txt
157.55.39.72 US, United States 18/Jun/2019:14:37:59 /radio/mwdx.html
217.22.136.24 CH, Switzerland 18/Jun/2019:14:37:53 /open-source/performance-tuning/tcp.html
50.68.105.42 CA, Canada 18/Jun/2019:14:37:47 /turkish/verbs.html
165.227.119.101 US, United States 18/Jun/2019:14:37:04 /technical/samsung-galaxy/secret-code.html
5.255.250.17 US, United States 18/Jun/2019:14:36:56 /cybersecurity/cipher-selection.html
82.221.105.6 IS, Iceland 18/Jun/2019:14:36:53 /
85.159.95.2 GB, United Kingdom 18/Jun/2019:14:36:33 /technical/dsl/
54.161.80.64 US, United States 18/Jun/2019:14:36:29 /travel/france/etretat-fecamp/
54.161.80.64 US, United States 18/Jun/2019:14:36:28 /robots.txt
5.255.250.17 US, United States 18/Jun/2019:14:36:26 /radio/j-poles.html
5.255.250.17 US, United States 18/Jun/2019:14:36:23 /travel/uk/dover/
45.19.97.120 US, United States 18/Jun/2019:14:36:21 /travel/uk/ben-nevis/
54.36.148.245 FR, France 18/Jun/2019:14:36:20 /travel/japan/tokyo-ueno/
40.139.55.99 US, United States 18/Jun/2019:14:36:19 /open-source/performance-tuning/file-systems.html
5.255.250.17 US, United States 18/Jun/2019:14:36:14 /radio/tek2445a.html
85.208.96.2 Unknown 18/Jun/2019:14:36:05 /cybersecurity/cyberwar/north-korea.html
66.249.79.155 US, United States 18/Jun/2019:14:36:00 /3d/histogram/
85.208.96.2 Unknown 18/Jun/2019:14:35:53 /cybersecurity/cyberwar/russia.html
3.89.84.167 US, United States 18/Jun/2019:14:35:39 /travel/usa/new-york-fictional-architecture/upper-west-side.html
3.89.84.167 US, United States 18/Jun/2019:14:35:38 /robots.txt
85.208.96.1 Unknown 18/Jun/2019:14:35:29 /robots.txt
172.58.231.210 US, United States 18/Jun/2019:14:35:20 /travel/usa/new-york-fictional-architecture/upper-west-side.html
18.212.153.159 US, United States 18/Jun/2019:14:35:18 /travel/usa/new-york-mcgees/
199.138.166.230 US, United States 18/Jun/2019:14:35:14 /open-source/performance-tuning/
199.138.166.230 US, United States 18/Jun/2019:14:35:12 /open-source/performance-tuning/tcp.html
18.234.42.157 US, United States 18/Jun/2019:14:35:10 /travel/usa/new-york-st-marks-place/
18.234.42.157 US, United States 18/Jun/2019:14:35:09 /robots.txt
54.162.234.241 US, United States 18/Jun/2019:14:35:08 /travel/usa/new-york-st-marks-place/
172.58.231.210 US, United States 18/Jun/2019:14:35:03 /travel/usa/new-york-st-marks-place/
34.230.57.69 US, United States 18/Jun/2019:14:35:03 /cybersecurity/isc2-ccsp/cloud-data-security.html
34.230.57.69 US, United States 18/Jun/2019:14:35:03 /robots.txt
5.255.250.17 US, United States 18/Jun/2019:14:35:01 /radio/
54.196.99.150 US, United States 18/Jun/2019:14:34:54 /cybersecurity/isc2-ccsp/cloud-data-security.html
3.80.179.141 US, United States 18/Jun/2019:14:34:51 /cybersecurity/isc2-ccsp/operations.html
5.255.250.17 US, United States 18/Jun/2019:14:34:51 /robots.txt
45.19.97.120 US, United States 18/Jun/2019:14:34:50 /travel/uk/scotland-isle-of-iona/ferry.html
172.58.231.210 US, United States 18/Jun/2019:14:34:45 /travel/usa/new-york-mcgees/
64.129.187.130 US, United States 18/Jun/2019:14:34:35 /open-source/migrate-rhel-to-centos.html
173.2.216.45 US, United States 18/Jun/2019:14:34:28 /turkish/turkish-verbs.pdf
206.16.134.32 US, United States 18/Jun/2019:14:34:26 /
174.221.143.133 US, United States 18/Jun/2019:14:34:23 /
174.221.143.133 US, United States 18/Jun/2019:14:34:18 /travel/france/etretat-fecamp/
157.55.39.109 US, United States 18/Jun/2019:14:33:52 /travel/latvia/?S=D
180.76.15.28 CN, China 18/Jun/2019:14:33:49 /travel/greece/greek/
157.55.39.72 US, United States 18/Jun/2019:14:33:48 /fun/requests-for-quotes/bahrain/?M=D
52.91.175.207 US, United States 18/Jun/2019:14:33:32 /networking/network-cables.html
71.181.82.52 US, United States 18/Jun/2019:14:33:30 /networking/network-cables.html
34.73.212.44 US, United States 18/Jun/2019:14:33:01 /
34.73.212.44 US, United States 18/Jun/2019:14:33:01 /robots.txt
107.77.203.79 US, United States 18/Jun/2019:14:32:59 /radio/tv-antenna.html
148.64.56.78 GB, United Kingdom 18/Jun/2019:14:32:58 /networking/nat.html
54.211.148.12 US, United States 18/Jun/2019:14:32:19 /travel/greece/delos.html
73.125.40.184 US, United States 18/Jun/2019:14:32:18 /travel/greece/delos.html
54.196.18.249 US, United States 18/Jun/2019:14:32:14 /travel/greece/delos.html
67.72.99.20 NL, Netherlands 18/Jun/2019:14:32:14 /ads.txt
66.102.6.65 US, United States 18/Jun/2019:14:32:13 /technical/convert-youtube-to-xvid.html
73.125.40.184 US, United States 18/Jun/2019:14:32:13 /travel/greece/delos.html
216.81.101.52 US, United States 18/Jun/2019:14:31:42 /travel/uk/scotland-isle-of-iona/iona.html
52.31.48.227 IE, Ireland 18/Jun/2019:14:31:11 /open-source/samba-active-directory/deployment.html
73.162.110.215 US, United States 18/Jun/2019:14:31:05 /
195.60.27.204 GB, United Kingdom 18/Jun/2019:14:31:02 /open-source/samba-active-directory/deployment.html
64.156.167.204 US, United States 18/Jun/2019:14:30:10 /ads.txt
170.31.98.52 US, United States 18/Jun/2019:14:30:09 /cybersecurity/isc2-ccsp/
47.133.111.161 US, United States 18/Jun/2019:14:29:30 /travel/uk/dover/
199.16.157.182 US, United States 18/Jun/2019:14:28:56 /travel/usa/new-york-hp-lovecraft/?s=tweetbot
71.181.82.52 US, United States 18/Jun/2019:14:28:39 /networking/nat.html
207.89.23.105 US, United States 18/Jun/2019:14:28:37 /travel/belgium/bastogne-ardennes/ardennes-forest.html
157.55.39.89 US, United States 18/Jun/2019:14:28:04 /travel/france/normandy/sainte-mere-eglise.html
40.77.167.2 US, United States 18/Jun/2019:14:27:58 /cybersecurity/cyberwar/
39.44.97.96 PK, Pakistan 18/Jun/2019:14:27:43 /networking/routing.html
95.163.255.174 RU, Russian Federation 18/Jun/2019:14:27:42 /travel/france/normandy/utah-beach.html
91.242.162.86 FR, France 18/Jun/2019:14:27:36 /robots.txt
95.163.255.165 RU, Russian Federation 18/Jun/2019:14:27:28 /travel/greece/meteora.html
95.163.255.173 RU, Russian Federation 18/Jun/2019:14:27:24 /cybersecurity/ssl-tls.html
165.225.73.19 DE, Germany 18/Jun/2019:14:27:07 /open-source/sysfs.html
66.102.6.65 US, United States 18/Jun/2019:14:27:05 /travel/greece/delos.html
66.249.83.59 US, United States 18/Jun/2019:14:27:04 /travel/greece/delos.html
95.163.255.171 RU, Russian Federation 18/Jun/2019:14:26:43 /cybersecurity/crypto/cipher-strength.html
203.125.44.105 SG, Singapore 18/Jun/2019:14:26:40 /travel/uk/lee-ho-fook/
95.163.255.160 RU, Russian Federation 18/Jun/2019:14:26:39 /travel/usa/detroit/detroit-part3.html
95.163.255.172 RU, Russian Federation 18/Jun/2019:14:26:35 /robots.txt
100.12.162.80 US, United States 18/Jun/2019:14:26:25 /travel/usa/new-york-sro-flophouses/
66.249.79.151 US, United States 18/Jun/2019:14:26:19 /turkish/
92.154.97.69 FR, France 18/Jun/2019:14:25:54 /open-source/pdf-not-authorized.html
108.235.171.74 US, United States 18/Jun/2019:14:25:53 /technical/dsl/
54.36.149.225 FR, France 18/Jun/2019:14:25:49 /travel/usa/new-york-nighthawks/
217.111.189.202 NL, Netherlands 18/Jun/2019:14:25:39 /open-source/performance-tuning/tcp.html
66.249.79.153 US, United States 18/Jun/2019:14:25:34 /open-source/performance-tuning/disks.html
157.55.39.109 US, United States 18/Jun/2019:14:25:08 /cybersecurity/cyberwar/
66.249.79.151 US, United States 18/Jun/2019:14:24:48 /cybersecurity/crypto/cipher-strength.html
95.112.172.168 DE, Germany 18/Jun/2019:14:24:45 /open-source/performance-tuning/tcp.html
157.55.39.109 US, United States 18/Jun/2019:14:24:36 /travel/usa/new-york-les-rivington/
66.249.79.155 US, United States 18/Jun/2019:14:24:01 /travel/belgium/bastogne-ardennes/ardennes-forest.html
66.249.79.151 US, United States 18/Jun/2019:14:23:12 /digsig/
66.249.79.153 US, United States 18/Jun/2019:14:22:53 /turkish/orthography.html
66.249.79.151 US, United States 18/Jun/2019:14:22:52 /travel/greenland/
86.87.128.49 NL, Netherlands 18/Jun/2019:14:22:38 /travel/uk/orkney-west-coast-walk/
50.207.49.162 US, United States 18/Jun/2019:14:22:26 /travel/usa/detroit/
197.181.58.125 KE, Kenya 18/Jun/2019:14:22:09 /travel/france/normandy/utah-beach.html
82.150.248.37 FR, France 18/Jun/2019:14:22:04 /open-source/performance-tuning/disks.html
5.188.210.58 RU, Russian Federation 18/Jun/2019:14:21:58 /contact.html
5.188.210.58 RU, Russian Federation 18/Jun/2019:14:21:56 /travel/usa/san-francisco/
86.87.128.49 NL, Netherlands 18/Jun/2019:14:21:47 /travel/uk/glastonbury/holy-grail.html
86.18.66.45 GB, United Kingdom 18/Jun/2019:14:21:37 /turkish/verbs.html
54.89.98.42 US, United States 18/Jun/2019:14:21:36 /cybersecurity/isc2-ccsp/legal.html
170.31.98.52 US, United States 18/Jun/2019:14:21:35 /cybersecurity/isc2-ccsp/legal.html
54.160.82.21 US, United States 18/Jun/2019:14:20:55 /travel/usa/detroit/detroit-part2.html
50.207.49.162 US, United States 18/Jun/2019:14:20:51 /travel/usa/detroit/detroit-part2.html
157.55.39.72 US, United States 18/Jun/2019:14:19:51 /3d/histogram/
85.25.210.234 DE, Germany 18/Jun/2019:14:19:38 /robots.txt
157.140.126.4 GB, United Kingdom 18/Jun/2019:14:19:23 /open-source/pdf-not-authorized.html
46.229.161.131 US, United States 18/Jun/2019:14:18:49 /cybersecurity/monitoring.html
205.142.197.113 US, United States 18/Jun/2019:14:18:13 /travel/france/normandy/brecourt-manor.html
88.67.229.145 DE, Germany 18/Jun/2019:14:17:58 /open-source/openbsd-wireless-wpa2.html
123.192.119.226 TW, Taiwan 18/Jun/2019:14:16:51 /travel/italy/driving.html
194.57.89.228 FR, France 18/Jun/2019:14:16:44 /open-source/rhel-centos-5-6-7-8/
130.120.75.29 FR, France 18/Jun/2019:14:16:26 /open-source/sendmail-ssl.html
54.160.82.21 US, United States 18/Jun/2019:14:16:25 /cybersecurity/rfcs.html
74.83.118.164 US, United States 18/Jun/2019:14:16:18 /cybersecurity/rfcs.html
72.14.199.87 US, United States 18/Jun/2019:14:15:17 /cybersecurity/isc2-ccsp/operations.html
170.31.98.52 US, United States 18/Jun/2019:14:14:53 /cybersecurity/isc2-ccsp/operations.html
88.99.195.215 DE, Germany 18/Jun/2019:14:14:30 /travel/france/seine-river-art-history-monet/rouen.html?s=tweetbot
42.236.101.234 CN, China 18/Jun/2019:14:14:15 /cybersecurity/authentication.html
42.236.12.170 CN, China 18/Jun/2019:14:14:15 /fun/fingerbox/
42.236.99.178 CN, China 18/Jun/2019:14:14:15 /open-source/torrent-magnet-links.html
74.200.34.3 US, United States 18/Jun/2019:14:14:12 /open-source/tar-and-ssh.html

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages