Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.231.228.109 US, United States 19/Oct/2019:16:54:28 /steampunk/
3.231.228.109 US, United States 19/Oct/2019:16:54:28 /robots.txt
207.46.13.15 US, United States 19/Oct/2019:16:53:08 /technical/dsl/
46.229.168.136 US, United States 19/Oct/2019:16:52:11 /open-source/rhel-centos-5-6-7-8/network-services.html
86.57.235.194 BY, Belarus 19/Oct/2019:16:51:20 /open-source/performance-tuning/tcp.html
40.77.167.23 US, United States 19/Oct/2019:16:50:25 /travel/japan/kamakura/path-yagura.html?s=tweetbot
4.35.210.206 US, United States 19/Oct/2019:16:49:51 /open-source/performance-tuning/ethernet.html
54.36.150.75 FR, France 19/Oct/2019:16:49:00 /cybersecurity/monitoring.html
39.107.83.249 CN, China 19/Oct/2019:16:48:50 /cybersecurity/
80.215.3.69 FR, France 19/Oct/2019:16:48:33 /open-source/rhel-centos-5-6-7-8/
193.201.224.246 UA, Ukraine 19/Oct/2019:16:48:28 /contact.html
193.201.224.246 UA, Ukraine 19/Oct/2019:16:48:27 /travel/japan/tokyo-asakusa/sushi-train.html
193.201.224.246 UA, Ukraine 19/Oct/2019:16:48:22 /travel/japan/tokyo-asakusa/markets-and-streets.html
71.82.99.116 US, United States 19/Oct/2019:16:47:44 /open-source/rhel-centos-5-6-7-8/
108.72.230.160 US, United States 19/Oct/2019:16:47:43 /technical/dsl/
175.116.137.181 KR, Korea, Republic of 19/Oct/2019:16:47:41 /networking/commands.html
159.69.181.170 DE, Germany 19/Oct/2019:16:47:39 /radio/rf-spectrum.html
108.39.197.220 US, United States 19/Oct/2019:16:46:59 /fun/fingerbox/
176.20.209.167 DK, Denmark 19/Oct/2019:16:46:19 /radio/power-meter.html
5.255.250.17 US, United States 19/Oct/2019:16:46:08 /cybersecurity/syn2.html
5.255.250.17 US, United States 19/Oct/2019:16:46:04 /cybersecurity/attack-study/attacker-perspective.html
115.99.133.178 IN, India 19/Oct/2019:16:45:46 /travel/usa/new-york-mcgees/
195.181.170.71 DE, Germany 19/Oct/2019:16:45:04 /technical/html4-or-xhtml-to-html5.html
185.58.225.56 GB, United Kingdom 19/Oct/2019:16:44:30 /travel/hungary/budapest/?s=tb
88.99.195.220 DE, Germany 19/Oct/2019:16:44:23 /travel/hungary/budapest/?s=tb
3.217.157.17 US, United States 19/Oct/2019:16:44:16 /travel/hungary/budapest/?s=tb
174.25.143.96 US, United States 19/Oct/2019:16:44:04 /technical/dsl/
17.58.101.13 US, United States 19/Oct/2019:16:44:01 /travel/hungary/budapest/?s=tb
199.59.150.180 US, United States 19/Oct/2019:16:44:01 /travel/hungary/budapest/?s=tb
199.59.150.180 US, United States 19/Oct/2019:16:44:00 /robots.txt
3.94.82.91 US, United States 19/Oct/2019:16:43:36 /open-source/font-config-warnings.html
193.29.81.231 DE, Germany 19/Oct/2019:16:43:35 /open-source/font-config-warnings.html
66.249.79.153 US, United States 19/Oct/2019:16:42:54 /travel/megaliths/
39.105.51.17 CN, China 19/Oct/2019:16:42:38 /fun/foxnews.html
107.77.224.142 US, United States 19/Oct/2019:16:42:01 /travel/usa/new-york-skate-manhattan/
81.242.202.159 BE, Belgium 19/Oct/2019:16:41:51 /technical/samsung-galaxy/ssh.html
185.107.47.215 NL, Netherlands 19/Oct/2019:16:41:48 /cybersecurity/virtualization.html
190.213.165.233 TT, Trinidad and Tobago 19/Oct/2019:16:41:42 /radio/tv-antenna.html
18.233.194.247 US, United States 19/Oct/2019:16:41:39 /travel/turkey/ephesus/
18.233.194.247 US, United States 19/Oct/2019:16:41:38 /robots.txt
172.245.82.161 US, United States 19/Oct/2019:16:41:34 /networking/terminology.html
157.119.105.24 IN, India 19/Oct/2019:16:41:21 /open-source/
188.22.104.189 AT, Austria 19/Oct/2019:16:40:41 /technical/convert-youtube-to-xvid.html
66.249.79.155 US, United States 19/Oct/2019:16:40:34 /cybersecurity/verify-digital-signature.html
85.255.233.144 GB, United Kingdom 19/Oct/2019:16:40:20 /travel/usa/new-york-mcgees/
24.59.143.85 US, United States 19/Oct/2019:16:40:01 /travel/usa/new-york-sro-flophouses/shutdown.html
66.102.9.31 US, United States 19/Oct/2019:16:40:00 /open-source/performance-tuning/disks.html
66.102.9.5 US, United States 19/Oct/2019:16:40:00 /open-source/performance-tuning/disks.html
66.249.79.153 US, United States 19/Oct/2019:16:39:59 /travel/uk/glastonbury/wearyall-hill.html
66.102.9.2 US, United States 19/Oct/2019:16:39:50 /open-source/performance-tuning/disks.html
66.102.9.31 US, United States 19/Oct/2019:16:39:31 /open-source/performance-tuning/disks.html
66.102.9.31 US, United States 19/Oct/2019:16:39:30 /open-source/performance-tuning/disks.html
100.43.91.201 US, United States 19/Oct/2019:16:39:18 /open-source/performance-tuning/hardware.html
100.43.91.201 US, United States 19/Oct/2019:16:39:14 /robots.txt
85.105.30.160 TR, Turkey 19/Oct/2019:16:38:59 /travel/turkey/ephesus/walk.html
85.105.30.160 TR, Turkey 19/Oct/2019:16:38:59 /travel/turkey/ephesus/walk.html
66.249.79.151 US, United States 19/Oct/2019:16:38:50 /travel/uk/glastonbury/holy-grail.html
5.90.239.86 IT, Italy 19/Oct/2019:16:38:38 /open-source/rhel-centos-5-6-7-8/
54.36.149.210 FR, France 19/Oct/2019:16:38:26 /travel/france/marseille/arrival.html
54.36.148.164 FR, France 19/Oct/2019:16:38:14 /open-source/performance-tuning/disks.html
216.244.66.242 US, United States 19/Oct/2019:16:37:17 /open-source/ftp-howto.html
54.36.148.227 FR, France 19/Oct/2019:16:37:11 /travel/france/school-lunch-menus/?s=tweetbot
46.229.168.147 US, United States 19/Oct/2019:16:36:41 /travel/uk/orkney-neolithic/stones-of-stenness.html
66.249.79.153 US, United States 19/Oct/2019:16:36:11 /travel/uk/glastonbury/abbey-church.html?s=tb
3.84.196.147 US, United States 19/Oct/2019:16:35:43 /travel/usa/new-york-nighthawks/
47.220.162.197 US, United States 19/Oct/2019:16:35:39 /travel/france/ronin/
3.84.196.147 US, United States 19/Oct/2019:16:35:39 /travel/france/ronin/
5.255.250.17 US, United States 19/Oct/2019:16:35:27 /travel/usa/detroit/Index.html
17.58.101.13 US, United States 19/Oct/2019:16:35:26 /travel/uk/
47.220.162.197 US, United States 19/Oct/2019:16:35:24 /travel/france/ronin/
76.176.136.9 US, United States 19/Oct/2019:16:35:00 /open-source/openbsd-kernel.html
123.125.71.76 CN, China 19/Oct/2019:16:34:59 /robots.txt
80.219.252.41 CH, Switzerland 19/Oct/2019:16:34:11 /radio/probes.html
69.118.203.251 US, United States 19/Oct/2019:16:33:44 /
86.246.7.174 FR, France 19/Oct/2019:16:33:33 /travel/greece/trains.html
86.105.52.35 DE, Germany 19/Oct/2019:16:33:33 /travel/poland/?s=tb
99.35.149.50 US, United States 19/Oct/2019:16:33:25 /travel/uk/glastonbury/chalice-spring-tor.html
212.47.250.236 FR, France 19/Oct/2019:16:32:59 /travel/poland/?s=tb
76.250.218.23 US, United States 19/Oct/2019:16:32:54 /open-source/rhel-centos-5-6-7-8/
86.179.69.38 GB, United Kingdom 19/Oct/2019:16:32:52 /
89.40.126.210 DE, Germany 19/Oct/2019:16:32:29 /travel/poland/?s=tb
148.64.56.74 GB, United Kingdom 19/Oct/2019:16:32:29 /open-source/virtualization.html
94.177.248.79 GB, United Kingdom 19/Oct/2019:16:32:25 /travel/poland/?s=tb
109.144.218.136 GB, United Kingdom 19/Oct/2019:16:32:25 /travel/uk/glastonbury/chalice-spring-tor.html
148.64.56.127 GB, United Kingdom 19/Oct/2019:16:31:43 /open-source/system-administration.html
81.105.18.153 GB, United Kingdom 19/Oct/2019:16:30:20 /open-source/virtualization.html
34.199.145.87 US, United States 19/Oct/2019:16:30:18 /ads.txt
207.46.13.79 US, United States 19/Oct/2019:16:30:06 /travel/latvia/
209.198.40.210 US, United States 19/Oct/2019:16:29:56 /open-source/openbsd-wireless-wpa2.html
148.64.56.114 GB, United Kingdom 19/Oct/2019:16:29:36 /3d/xray/
148.64.56.114 GB, United Kingdom 19/Oct/2019:16:29:34 /robots.txt
5.255.250.17 US, United States 19/Oct/2019:16:29:27 /travel/greece/meteora.html?s=tb
92.119.177.147 Unknown 19/Oct/2019:16:29:27 /turkish/
5.255.250.17 US, United States 19/Oct/2019:16:29:12 /cybersecurity/public-key.html
213.87.158.88 RU, Russian Federation 19/Oct/2019:16:29:02 /open-source/sendmail-ssl.html
88.99.195.236 DE, Germany 19/Oct/2019:16:28:51 /travel/poland/?s=tb
66.249.88.121 US, United States 19/Oct/2019:16:28:48 /travel/
40.77.167.23 US, United States 19/Oct/2019:16:28:48 /open-source/python-twitter-automation/
3.217.157.17 US, United States 19/Oct/2019:16:28:24 /travel/poland/?s=tb
5.255.250.17 US, United States 19/Oct/2019:16:28:19 /travel/uk/the-road-to-the-isles/glen-nevis-fort-william.html
85.105.30.160 TR, Turkey 19/Oct/2019:16:28:13 /travel/turkey/ephesus/
17.142.153.24 US, United States 19/Oct/2019:16:28:01 /travel/poland/?s=tb
17.58.101.13 US, United States 19/Oct/2019:16:28:01 /travel/poland/?s=tb
199.59.150.180 US, United States 19/Oct/2019:16:28:00 /travel/poland/?s=tb
87.3.174.12 IT, Italy 19/Oct/2019:16:27:50 /open-source/performance-tuning/disks.html
107.77.209.227 US, United States 19/Oct/2019:16:27:28 /technical/dsl/
76.120.140.38 US, United States 19/Oct/2019:16:27:23 /technical/dsl/
76.250.218.23 US, United States 19/Oct/2019:16:26:55 /open-source/rhel-centos-5-6-7-8/
18.232.122.164 US, United States 19/Oct/2019:16:26:37 /travel/france/saint-denis/
76.67.151.21 CA, Canada 19/Oct/2019:16:26:30 /open-source/rhel-centos-5-6-7-8/booting.html
79.36.138.14 IT, Italy 19/Oct/2019:16:26:23 /travel/usa/new-york-mcgees/
174.242.36.237 US, United States 19/Oct/2019:16:25:46 /technical/dsl/
216.181.152.55 CA, Canada 19/Oct/2019:16:25:15 /turkish/Index.html

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages