Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.237.105.210 US, United States 25/Feb/2021:04:11:41 /robots.txt
161.8.250.162 US, United States 25/Feb/2021:04:11:23 /open-source/performance-tuning/disks.html
5.157.12.218 IE, Ireland 25/Feb/2021:04:11:17 /travel/turkey/trains/Index.html
5.157.35.222 RU, Russian Federation 25/Feb/2021:04:11:16 /travel/japan/kyoto/temples/?s=tb
73.203.137.23 US, United States 25/Feb/2021:04:11:11 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:11:11 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:11:11 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:11:11 /cybersecurity/isc2-ccsp/standards-and-regulations.html
47.32.179.163 US, United States 25/Feb/2021:04:11:08 /travel/usa/us-wash-masonic.html
95.163.255.161 RU, Russian Federation 25/Feb/2021:04:11:08 /robots.txt
136.243.80.152 DE, Germany 25/Feb/2021:04:11:05 /travel/japan/kyoto/temples/
37.187.162.187 FR, France 25/Feb/2021:04:10:56 /travel/japan/kyoto/temples/?s=tb
68.67.155.230 US, United States 25/Feb/2021:04:10:52 /ads.txt
34.236.13.164 US, United States 25/Feb/2021:04:10:39 /travel/japan/kyoto/temples/?s=tb
213.186.4.78 HR, Croatia 25/Feb/2021:04:10:25 /travel/turkey/trains/Index.html
194.29.32.129 IL, Israel 25/Feb/2021:04:10:23 /travel/japan/kyoto/temples/?s=tb
194.29.32.129 IL, Israel 25/Feb/2021:04:10:22 /travel/japan/kyoto/temples/?s=tb
144.76.22.139 DE, Germany 25/Feb/2021:04:10:13 /travel/japan/kyoto/temples/?s=tb
136.49.128.223 US, United States 25/Feb/2021:04:10:12 /open-source/sendmail-ssl.html
54.36.148.183 FR, France 25/Feb/2021:04:10:10 /travel/greece/patmos/
138.201.206.206 DE, Germany 25/Feb/2021:04:10:08 /travel/japan/kyoto/temples/?s=tb
17.58.100.8 US, United States 25/Feb/2021:04:10:01 /travel/japan/kyoto/temples/?s=tb
54.36.148.147 FR, France 25/Feb/2021:04:09:18 /travel/japan/tokyo-asakusa/hozomon.html
35.196.95.178 US, United States 25/Feb/2021:04:09:18 /
35.196.95.178 US, United States 25/Feb/2021:04:09:18 /robots.txt
35.196.95.178 US, United States 25/Feb/2021:04:09:17 /robots.txt
144.217.68.133 CA, Canada 25/Feb/2021:04:09:10 /travel/japan/ise/wedded-rocks.html
74.119.118.48 US, United States 25/Feb/2021:04:09:07 /open-source/dev-random.html
98.37.159.6 US, United States 25/Feb/2021:04:08:50 /cybersecurity/telecom-outages.html
34.236.13.164 US, United States 25/Feb/2021:04:08:39 /travel/turkey/trains/Index.html
54.213.85.222 US, United States 25/Feb/2021:04:08:26 /technical/dsl/
88.99.64.214 DE, Germany 25/Feb/2021:04:08:24 /travel/turkey/trains/Index.html
88.99.64.214 DE, Germany 25/Feb/2021:04:08:24 /robots.txt
54.213.85.222 US, United States 25/Feb/2021:04:08:24 /robots.txt
54.88.234.90 US, United States 25/Feb/2021:04:08:21 /travel/turkey/trains/Index.html
3.218.77.26 US, United States 25/Feb/2021:04:08:20 /travel/turkey/trains/Index.html
88.99.195.215 DE, Germany 25/Feb/2021:04:08:19 /travel/turkey/trains/Index.html
35.173.18.250 US, United States 25/Feb/2021:04:08:15 /travel/turkey/trains/Index.html
35.173.18.250 US, United States 25/Feb/2021:04:08:15 /travel/turkey/trains/Index.html
35.173.18.250 US, United States 25/Feb/2021:04:08:15 /travel/turkey/trains/Index.html
35.173.18.250 US, United States 25/Feb/2021:04:08:15 /travel/turkey/trains/Index.html
3.208.220.200 US, United States 25/Feb/2021:04:08:14 /travel/turkey/trains/Index.html
95.217.145.66 FI, Finland 25/Feb/2021:04:08:12 /travel/turkey/trains/Index.html
95.217.145.66 FI, Finland 25/Feb/2021:04:08:12 /robots.txt
37.187.162.126 FR, France 25/Feb/2021:04:08:10 /travel/turkey/trains/Index.html
17.58.100.8 US, United States 25/Feb/2021:04:08:00 /travel/turkey/trains/Index.html
199.59.150.181 US, United States 25/Feb/2021:04:08:00 /travel/turkey/trains/Index.html
199.59.150.182 US, United States 25/Feb/2021:04:08:00 /robots.txt
199.59.150.181 US, United States 25/Feb/2021:04:08:00 /robots.txt
208.74.142.117 US, United States 25/Feb/2021:04:07:26 /
76.90.164.208 US, United States 25/Feb/2021:04:07:09 /travel/france/school-lunch-menus/
54.39.103.203 CA, Canada 25/Feb/2021:04:06:59 /travel/japan/kofun/empress-koken.html
71.166.59.74 US, United States 25/Feb/2021:04:06:54 /open-source/raspberry-pi/sdr-ads-b-piaware-and-fr24feed.html
107.77.231.226 US, United States 25/Feb/2021:04:05:53 /
192.99.232.216 CA, Canada 25/Feb/2021:04:05:45 /travel/japan/kofun/emperor-kaika.html
73.203.137.23 US, United States 25/Feb/2021:04:05:18 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:05:18 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:05:18 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:05:18 /cybersecurity/isc2-ccsp/standards-and-regulations.html
35.196.95.178 US, United States 25/Feb/2021:04:04:57 /robots.txt
35.177.4.60 GB, United Kingdom 25/Feb/2021:04:04:22 /travel/china/guangzhou-2.html?s=tb
157.55.39.224 US, United States 25/Feb/2021:04:04:16 /networking/logs-in-color.html
54.213.85.222 US, United States 25/Feb/2021:04:04:13 /
54.213.85.222 US, United States 25/Feb/2021:04:04:09 /robots.txt
148.72.155.14 US, United States 25/Feb/2021:04:03:59 /travel/usa/new-york-roosevelts/
54.36.148.124 FR, France 25/Feb/2021:04:03:59 /travel/japan/nikko/other-sites.html
54.89.124.165 US, United States 25/Feb/2021:04:03:53 /travel/usa/new-york-roosevelts/
184.61.70.162 US, United States 25/Feb/2021:04:03:53 /
71.127.218.6 US, United States 25/Feb/2021:04:03:51 /travel/usa/new-york-roosevelts/
107.77.227.194 US, United States 25/Feb/2021:04:03:37 /
66.249.79.29 US, United States 25/Feb/2021:04:03:27 /cybersecurity/comptia/domain-6.html
40.77.167.78 US, United States 25/Feb/2021:04:03:17 /travel/athens-to-paris/bucharest-gura-humorului.html
167.114.119.164 CA, Canada 25/Feb/2021:04:03:10 /travel/turkey/goreme/
188.138.57.167 DE, Germany 25/Feb/2021:04:03:03 /cybersecurity/comptia/domain-6.html
52.212.88.205 IE, Ireland 25/Feb/2021:04:02:52 /open-source/openbsd-qemu-windows-howto.html
73.203.137.23 US, United States 25/Feb/2021:04:02:46 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:02:46 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:02:46 /cybersecurity/isc2-ccsp/standards-and-regulations.html
73.203.137.23 US, United States 25/Feb/2021:04:02:46 /cybersecurity/isc2-ccsp/standards-and-regulations.html
103.105.101.140 IN, India 25/Feb/2021:04:02:37 /open-source/performance-tuning/
66.249.79.27 US, United States 25/Feb/2021:04:01:43 /open-source/nginx-tls-1.3/running-tls-1.3.html
37.187.167.33 FR, France 25/Feb/2021:04:01:36 /travel/china/guangzhou-2.html?s=tb
191.101.214.10 US, United States 25/Feb/2021:04:01:22 /cybersecurity/comptia/domain-6.html
144.76.94.109 DE, Germany 25/Feb/2021:04:01:17 /travel/china/guangzhou-2.html?s=tb
144.76.94.109 DE, Germany 25/Feb/2021:04:01:17 /robots.txt
1.132.107.247 AU, Australia 25/Feb/2021:04:01:01 /technical/dsl/
3.81.94.244 US, United States 25/Feb/2021:04:01:01 /cybersecurity/comptia/domain-6.html
41.58.231.169 NG, Nigeria 25/Feb/2021:04:00:56 /cybersecurity/comptia/domain-6.html
35.204.17.186 EU, Europe 25/Feb/2021:04:00:42 /cybersecurity/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /russian/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /3d/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /fun/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /networking/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /radio/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /travel/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /open-source/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /turkish/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /technical/
35.204.17.186 EU, Europe 25/Feb/2021:04:00:41 /
35.204.17.186 EU, Europe 25/Feb/2021:04:00:40 /
161.64.154.74 MO, Macau 25/Feb/2021:04:00:04 /open-source/performance-tuning/nfs.html
54.88.234.90 US, United States 25/Feb/2021:03:59:46 /travel/china/guangzhou-2.html?s=tb
34.236.13.164 US, United States 25/Feb/2021:03:59:41 /travel/china/guangzhou-2.html?s=tb
66.249.79.29 US, United States 25/Feb/2021:03:59:31 /cybersecurity/comptia/domain-3-answers.html
162.198.119.188 US, United States 25/Feb/2021:03:59:30 /open-source/performance-tuning/tcp.html
40.77.167.78 US, United States 25/Feb/2021:03:59:06 /travel/japan/tokyo-ueno/
157.55.39.138 US, United States 25/Feb/2021:03:59:01 /cybersecurity/history/uss-chaumont/photos-navymil.html
54.36.148.177 FR, France 25/Feb/2021:03:58:52 /travel/japan/tokyo-asakusa/hoppy-street.html
178.250.0.50 FR, France 25/Feb/2021:03:58:50 /cybersecurity/
37.187.162.193 FR, France 25/Feb/2021:03:58:48 /travel/china/guangzhou-2.html?s=tb
85.25.218.151 DE, Germany 25/Feb/2021:03:58:34 /travel/china/guangzhou-2.html
88.99.195.229 DE, Germany 25/Feb/2021:03:58:17 /travel/china/guangzhou-2.html?s=tb
35.173.18.250 US, United States 25/Feb/2021:03:58:11 /travel/china/guangzhou-2.html?s=tb
52.87.194.151 US, United States 25/Feb/2021:03:58:11 /travel/china/guangzhou-2.html
104.155.102.38 US, United States 25/Feb/2021:03:58:09 /travel/china/guangzhou-2.html?s=tb
139.28.238.151 Unknown 25/Feb/2021:03:58:06 /travel/
136.243.80.152 DE, Germany 25/Feb/2021:03:58:06 /travel/china/guangzhou-2.html
136.243.79.224 DE, Germany 25/Feb/2021:03:58:06 /travel/china/guangzhou-2.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages