Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

35.172.201.102 US, United States 14/Dec/2018:02:36:39 /travel/usa/new-york-roosevelts/Index.html
35.172.201.102 US, United States 14/Dec/2018:02:36:39 /robots.txt
174.208.36.156 US, United States 14/Dec/2018:02:35:53 /technical/dsl/
54.36.148.100 FR, France 14/Dec/2018:02:35:19 /radio/power-meter.html
70.122.140.93 US, United States 14/Dec/2018:02:35:05 /travel/mexico/leon-trotsky.html
143.176.4.7 NL, Netherlands 14/Dec/2018:02:35:04 /open-source/openbsd-kernel.html
47.11.191.115 IN, India 14/Dec/2018:02:34:55 /open-source/vim-word-count.html
54.36.148.176 FR, France 14/Dec/2018:02:34:29 /travel/usa/new-york-st-marks-place/2nd-1st-south.html
54.36.149.103 FR, France 14/Dec/2018:02:34:11 /cybersecurity/basics/03-backup-your-files.html
157.55.39.56 US, United States 14/Dec/2018:02:33:10 /cybersecurity/cyberwar/
157.55.39.56 US, United States 14/Dec/2018:02:33:08 /open-source/rhel-centos-5-6-7/
37.9.87.224 RU, Russian Federation 14/Dec/2018:02:32:11 /open-source/sysfs.html
157.55.39.95 US, United States 14/Dec/2018:02:31:03 /networking/wlan-specs.html
157.55.39.95 US, United States 14/Dec/2018:02:31:02 /cybersecurity/backdoors.html
157.55.39.95 US, United States 14/Dec/2018:02:31:00 /fun/requests-for-quotes/bahrain/pictures/20091103151536617.pdf
173.66.236.186 US, United States 14/Dec/2018:02:30:19 /open-source/nginx-tls-1.3/running-tls-1.3.html
139.199.63.33 CN, China 14/Dec/2018:02:30:16 /
139.199.62.228 CN, China 14/Dec/2018:02:30:10 /
103.110.171.130 IN, India 14/Dec/2018:02:30:09 /travel/mexico/tecate-ensenada.html
5.255.250.17 US, United States 14/Dec/2018:02:29:35 /travel/france/lavomat/
54.36.148.23 FR, France 14/Dec/2018:02:29:26 /travel/france/boat-trip-canal-lateral-a-la-loire/nevers-to-fleury-sur-loire.html
93.176.146.144 ES, Spain 14/Dec/2018:02:29:20 /turkish/verbs.html
5.255.250.17 US, United States 14/Dec/2018:02:29:19 /cybersecurity/history/uk-wwii.html
207.38.87.148 US, United States 14/Dec/2018:02:29:13 /3d/xray/
5.255.250.17 US, United States 14/Dec/2018:02:28:58 /travel/bulgaria/sofia/
5.255.250.17 US, United States 14/Dec/2018:02:28:56 /open-source/ssh.html
178.154.244.46 RU, Russian Federation 14/Dec/2018:02:28:41 /travel/japan/tokyo-asakusa/hozomon.html
173.228.55.50 US, United States 14/Dec/2018:02:28:24 /networking/class-a-nets.html
162.229.187.121 US, United States 14/Dec/2018:02:27:59 /open-source/performance-tuning/nfs.html
46.229.168.141 US, United States 14/Dec/2018:02:27:56 /cybersecurity/hardware.html
99.228.171.8 CA, Canada 14/Dec/2018:02:27:39 /travel/uk/oxford-lewis-tolkien/
68.237.128.172 US, United States 14/Dec/2018:02:27:19 /technical/dsl/
209.126.103.153 US, United States 14/Dec/2018:02:27:09 /
157.55.39.56 US, United States 14/Dec/2018:02:27:07 /travel/russia/goodwill.html
5.255.250.17 US, United States 14/Dec/2018:02:27:05 /open-source/google-freebsd-tls/freebsd.html
157.55.39.56 US, United States 14/Dec/2018:02:26:30 /cybersecurity/generalinfo.html
187.180.181.211 BR, Brazil 14/Dec/2018:02:25:45 /technical/ata-ide-sata-usb-cable-pinouts.html
178.148.177.96 RS, Serbia 14/Dec/2018:02:25:10 /open-source/flash-on-non-sse2-cpu.html
46.229.168.131 US, United States 14/Dec/2018:02:25:07 /oliver-cromwell/
46.229.168.134 US, United States 14/Dec/2018:02:25:05 /robots.txt
157.55.39.10 US, United States 14/Dec/2018:02:25:04 /robots.txt
5.255.250.17 US, United States 14/Dec/2018:02:24:45 /travel/uk/
208.104.233.141 US, United States 14/Dec/2018:02:24:19 /open-source/performance-tuning/file-systems.html
5.255.250.17 US, United States 14/Dec/2018:02:23:33 /travel/usa/new-york-st-marks-place/
184.91.10.11 US, United States 14/Dec/2018:02:23:30 /travel/uk/lee-ho-fook/
5.255.250.17 US, United States 14/Dec/2018:02:23:28 /cybersecurity/comptia/
72.14.199.75 US, United States 14/Dec/2018:02:23:21 /turkish/verbs.html
66.249.79.135 US, United States 14/Dec/2018:02:23:17 /open-source/performance-tuning/ethernet.html
54.152.179.90 US, United States 14/Dec/2018:02:23:11 /open-source/
36.110.147.69 CN, China 14/Dec/2018:02:22:39 /open-source/compiling-opencv-on-openbsd.html
36.110.147.69 CN, China 14/Dec/2018:02:22:30 /open-source/compiling-opencv-on-openbsd.html
5.255.250.17 US, United States 14/Dec/2018:02:22:14 /radio/nc2030-qrp-transceiver/
5.255.250.17 US, United States 14/Dec/2018:02:22:11 /robots.txt
18.202.147.128 US, United States 14/Dec/2018:02:21:09 /travel/romania/bucovina-gura-humorului/
18.202.147.128 US, United States 14/Dec/2018:02:21:09 /travel/romania/bucovina-gura-humorului/
148.101.152.71 DO, Dominican Republic 14/Dec/2018:02:20:09 /open-source/linux-break-in-howto.html
98.160.143.243 US, United States 14/Dec/2018:02:19:59 /radio/
209.126.103.112 US, United States 14/Dec/2018:02:19:51 /
172.58.3.163 US, United States 14/Dec/2018:02:19:44 /cybersecurity/hardware.html
209.126.103.196 US, United States 14/Dec/2018:02:19:35 /
66.129.239.13 US, United States 14/Dec/2018:02:18:59 /open-source/lvm-rescue-boot.html
66.249.79.135 US, United States 14/Dec/2018:02:18:55 /open-source/1901/
174.192.18.166 US, United States 14/Dec/2018:02:17:59 /radio/tek2445a.html
206.16.134.20 US, United States 14/Dec/2018:02:17:57 /open-source/lvm-rescue-boot.html
74.87.21.11 US, United States 14/Dec/2018:02:15:57 /open-source/build-packages.html
66.129.239.13 US, United States 14/Dec/2018:02:14:03 /open-source/lvm-rescue-boot.html
172.117.238.177 US, United States 14/Dec/2018:02:13:57 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
192.198.147.165 MY, Malaysia 14/Dec/2018:02:13:42 /open-source/performance-tuning/disks.html
34.228.184.21 US, United States 14/Dec/2018:02:13:38 /radio/frequencies.html
98.160.143.243 US, United States 14/Dec/2018:02:13:36 /radio/frequencies.html
129.41.84.72 US, United States 14/Dec/2018:02:13:25 /open-source/performance-tuning/ethernet.html
116.203.30.11 IN, India 14/Dec/2018:02:13:09 /cybersecurity/cyberwar/ukraine.html
116.203.27.65 IN, India 14/Dec/2018:02:13:08 /cybersecurity/cyberwar/
64.233.172.158 US, United States 14/Dec/2018:02:11:24 /
37.187.162.165 FR, France 14/Dec/2018:02:11:14 /travel/france/roussillon/?s=tweetbot
216.115.162.10 US, United States 14/Dec/2018:02:10:48 /technical/dsl/
129.210.115.240 US, United States 14/Dec/2018:02:10:28 /cybersecurity/crypto/hash-search.html
18.188.222.237 US, United States 14/Dec/2018:02:10:19 /
199.58.86.211 US, United States 14/Dec/2018:02:09:35 /
199.58.86.211 US, United States 14/Dec/2018:02:09:28 /robots.txt
157.55.39.223 US, United States 14/Dec/2018:02:09:20 /travel/usa/new-york-roosevelts/Index.html
148.64.56.73 GB, United Kingdom 14/Dec/2018:02:07:44 /travel/france/boat/canal-selection-and-logs.html
66.249.79.135 US, United States 14/Dec/2018:02:07:40 /3d/histogram/
148.64.56.70 GB, United Kingdom 14/Dec/2018:02:07:30 /open-source/build-packages.html
54.36.148.95 FR, France 14/Dec/2018:02:07:28 /travel/usa/new-york-st-marks-place/
47.199.178.57 US, United States 14/Dec/2018:02:05:07 /travel/italy/driving.html
66.160.140.183 US, United States 14/Dec/2018:02:04:40 /robots.txt
148.64.56.76 GB, United Kingdom 14/Dec/2018:02:04:35 /brewing/how-to-brew-mead.html
76.18.178.210 US, United States 14/Dec/2018:02:04:32 /
66.249.79.139 US, United States 14/Dec/2018:02:04:20 /radio/internet-radio.html
148.64.56.71 GB, United Kingdom 14/Dec/2018:02:03:49 /technical/wma-or-flac-to-mp3.html
107.203.162.37 US, United States 14/Dec/2018:02:03:41 /travel/france/jim-morrison-paris.html
54.88.13.121 US, United States 14/Dec/2018:02:03:18 /open-source/linux-kernel-details.html

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages