Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

5.150.233.44 SE, Sweden 27/Jul/2021:10:42:52 /open-source/performance-tuning/nfs.html
102.182.172.201 ZA, South Africa 27/Jul/2021:10:42:40 /open-source/performance-tuning/
102.182.172.201 ZA, South Africa 27/Jul/2021:10:42:39 /open-source/performance-tuning/tcp.html
211.5.215.228 JP, Japan 27/Jul/2021:10:42:31 /open-source/rpm-patch.html
211.5.215.228 JP, Japan 27/Jul/2021:10:42:29 /open-source/rpm-patch.html
54.36.149.22 FR, France 27/Jul/2021:10:41:21 /travel/japan/wwii-cryptanalysis/
54.224.217.146 US, United States 27/Jul/2021:10:41:16 /travel/greece/trains.html
44.192.22.242 US, United States 27/Jul/2021:10:41:15 /travel/latvia/
84.17.48.204 IT, Italy 27/Jul/2021:10:41:13 /travel/greece/trains.html
66.249.79.99 US, United States 27/Jul/2021:10:40:54 /text/reports/0tramp.1.txt
90.52.8.83 FR, France 27/Jul/2021:10:40:49 /travel/france/saumur-megaliths/
185.191.171.1 MD, Moldova, Republic of 27/Jul/2021:10:40:32 /travel/japan/
75.177.22.88 US, United States 27/Jul/2021:10:39:17 /technical/ata-ide-sata-usb-cable-pinouts.html
44.192.22.242 US, United States 27/Jul/2021:10:39:09 /cybersecurity/cloud-survey.html
44.192.22.242 US, United States 27/Jul/2021:10:39:09 /robots.txt
78.35.199.232 DE, Germany 27/Jul/2021:10:39:08 /technical/hp-printer-ready-message.html
194.50.85.102 UA, Ukraine 27/Jul/2021:10:38:42 /open-source/performance-tuning/ethernet.html
71.235.251.99 US, United States 27/Jul/2021:10:38:38 /turkish/verbs.html
114.119.133.237 CN, China 27/Jul/2021:10:38:23 /travel/turkey/temple-of-artemis/
188.138.41.200 DE, Germany 27/Jul/2021:10:38:17 /open-source/performance-tuning/nfs.html
95.216.228.98 FI, Finland 27/Jul/2021:10:38:00 /open-source/rpm-patch.html
136.243.70.68 DE, Germany 27/Jul/2021:10:37:53 /travel/france/school-lunch-menus/?s=tb
136.243.70.68 DE, Germany 27/Jul/2021:10:37:53 /robots.txt
185.191.171.10 MD, Moldova, Republic of 27/Jul/2021:10:35:59 /technical/samsung-galaxy/rip-cyanogenmod.html
132.145.64.33 US, United States 27/Jul/2021:10:35:31 /travel/chile/rancagua/
132.145.64.33 US, United States 27/Jul/2021:10:35:30 /travel/chile/rancagua/?s=tb
66.249.79.97 US, United States 27/Jul/2021:10:35:18 /
35.155.29.68 US, United States 27/Jul/2021:10:34:53 /open-source/rpm-patch.html
54.36.149.57 FR, France 27/Jul/2021:10:34:52 /travel/uk/ben-nevis/
173.252.83.120 US, United States 27/Jul/2021:10:34:50 /turkish/
137.69.117.202 US, United States 27/Jul/2021:10:34:37 /open-source/rpm-patch.html
54.36.148.48 FR, France 27/Jul/2021:10:34:22 /cybersecurity/comptia/domain-1.html
74.119.118.50 US, United States 27/Jul/2021:10:34:12 /cybersecurity/telecom-outages.html
185.191.171.15 MD, Moldova, Republic of 27/Jul/2021:10:34:06 /cybersecurity/isc2-ccsp/
83.233.228.171 SE, Sweden 27/Jul/2021:10:33:51 /radio/9-1-unun/
3.236.212.37 US, United States 27/Jul/2021:10:33:32 /cybersecurity/telecom-outages.html
3.84.168.8 US, United States 27/Jul/2021:10:33:29 /cybersecurity/telecom-outages.html
196.38.20.158 ZA, South Africa 27/Jul/2021:10:33:14 /cybersecurity/telecom-outages.html
49.150.47.19 PH, Philippines 27/Jul/2021:10:33:04 /travel/france/marseille/vieux-port.html
54.237.214.168 US, United States 27/Jul/2021:10:32:44 /cybersecurity/isc2-ccsp/
95.163.255.190 RU, Russian Federation 27/Jul/2021:10:32:34 /robots.txt
162.244.33.50 US, United States 27/Jul/2021:10:31:43 /cybersecurity/yubikey/pam_pkcs11.html
134.191.221.82 GB, United Kingdom 27/Jul/2021:10:31:12 /networking/nat.html
148.64.4.223 IN, India 27/Jul/2021:10:30:10 /open-source/windows-path.html
178.250.0.49 FR, France 27/Jul/2021:10:29:49 /travel/uk/glastonbury/chalice-spring-tor.html
3.215.77.209 US, United States 27/Jul/2021:10:29:17 /travel/uk/glastonbury/chalice-spring-tor.html
147.147.90.248 GB, United Kingdom 27/Jul/2021:10:29:09 /travel/uk/glastonbury/chalice-spring-tor.html
54.36.148.6 FR, France 27/Jul/2021:10:28:28 /open-source/rhel-centos-oracle-5-6-7-8/logging.html
114.119.136.59 CN, China 27/Jul/2021:10:28:11 /travel/usa/new-york-hunter-s-thompson/
54.88.52.63 US, United States 27/Jul/2021:10:27:44 /travel/greece/mykonos.html
178.197.227.171 CH, Switzerland 27/Jul/2021:10:27:34 /travel/greece/mykonos.html
52.213.28.186 IE, Ireland 27/Jul/2021:10:27:25 /open-source/ssh-2-access-control.html
198.148.27.52 US, United States 27/Jul/2021:10:27:04 /cybersecurity/comptia/
198.148.27.47 US, United States 27/Jul/2021:10:26:57 /cybersecurity/comptia/
85.113.129.232 RU, Russian Federation 27/Jul/2021:10:26:57 /cybersecurity/ssl-tls.html
77.75.76.171 CZ, Czech Republic 27/Jul/2021:10:26:52 /travel/uk/hadrians-wall/
77.75.76.171 CZ, Czech Republic 27/Jul/2021:10:26:51 /networking/ip-addresses-and-subnets.html
77.75.76.171 CZ, Czech Republic 27/Jul/2021:10:26:50 /technical/samsung-galaxy/sim-unlocking.html
77.75.76.171 CZ, Czech Republic 27/Jul/2021:10:26:49 /robots.txt
66.249.79.99 US, United States 27/Jul/2021:10:26:33 /travel/usa/new-york-phone-booths/
103.253.237.40 HK, Hong Kong 27/Jul/2021:10:26:17 /cybersecurity/hostile/mirai.html
114.119.162.58 CN, China 27/Jul/2021:10:26:06 /travel/turkey/konya/?s=tb
13.66.139.0 US, United States 27/Jul/2021:10:25:52 /travel/canada/ottawa/?s=tb
103.253.237.40 HK, Hong Kong 27/Jul/2021:10:25:31 /cybersecurity/hostile/mirai.html
216.228.112.22 US, United States 27/Jul/2021:10:25:17 /open-source/qemu-unix.html
199.249.230.182 US, United States 27/Jul/2021:10:25:15 /open-source/font-config-warnings.html
185.191.171.24 MD, Moldova, Republic of 27/Jul/2021:10:24:49 /cybersecurity/attack-study/200.213.105.90-i192-list.html
188.138.33.167 DE, Germany 27/Jul/2021:10:23:50 /open-source/ssh-2-access-control.html
114.119.162.58 CN, China 27/Jul/2021:10:23:48 /travel/trinidad/port-of-spain.html
92.154.42.32 FR, France 27/Jul/2021:10:23:30 /open-source/performance-tuning/file-systems.html
199.16.157.180 US, United States 27/Jul/2021:10:22:46 /travel/japan/nikko/other-sites.html?s=tb
78.135.54.110 TR, Turkey 27/Jul/2021:10:22:41 /contact.html
78.135.54.110 TR, Turkey 27/Jul/2021:10:22:40 /travel/usa/new-york-roosevelts/
54.36.148.166 FR, France 27/Jul/2021:10:22:35 /cybersecurity/comptia/domain-4.html
208.78.212.5 US, United States 27/Jul/2021:10:22:23 /open-source/performance-tuning/tcp.html
114.119.137.190 CN, China 27/Jul/2021:10:22:18 /travel/japan/nagasaki/temples-in-the-rain.html
54.36.148.9 FR, France 27/Jul/2021:10:22:14 /cybersecurity/root-password.html
95.216.228.101 FI, Finland 27/Jul/2021:10:22:00 /cybersecurity/root-password.html
5.255.253.108 RU, Russian Federation 27/Jul/2021:10:21:44 /cybersecurity/exam-prep.html
143.92.127.226 AU, Australia 27/Jul/2021:10:20:17 /open-source/performance-tuning/disks.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:51 /open-source/samba-active-directory/samba.html
204.15.208.39 Unknown 27/Jul/2021:10:19:50 /cybersecurity/root-password.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
114.198.49.77 AU, Australia 27/Jul/2021:10:19:43 /open-source/samba-active-directory/samba.html
109.249.187.31 GB, United Kingdom 27/Jul/2021:10:19:38 /technical/dsl/
114.119.142.204 CN, China 27/Jul/2021:10:19:34 /travel/chile/rancagua/?s=tb
3.84.168.8 US, United States 27/Jul/2021:10:19:29 /open-source/qemu-unix.html
185.17.14.4 AT, Austria 27/Jul/2021:10:19:24 /open-source/qemu-unix.html
54.167.100.33 US, United States 27/Jul/2021:10:19:02 /travel/usa/new-york-marvel/?s=tb
52.55.253.52 US, United States 27/Jul/2021:10:19:01 /travel/usa/new-york-marvel/?s=tb
18.204.61.173 US, United States 27/Jul/2021:10:18:57 /travel/usa/new-york-marvel/?s=tb
135.181.82.38 CA, Canada 27/Jul/2021:10:18:56 /open-source/linux-kernel.html
3.238.142.36 US, United States 27/Jul/2021:10:18:47 /cybersecurity/comptia/initial-answers.html
70.163.30.46 US, United States 27/Jul/2021:10:18:45 /cybersecurity/comptia/initial-answers.html
199.16.157.182 US, United States 27/Jul/2021:10:18:27 /cybersecurity/crypto/reading.html?s=tb
114.119.132.7 CN, China 27/Jul/2021:10:17:58 /travel/japan/kamakura/kencho-ji.html
91.126.219.59 ES, Spain 27/Jul/2021:10:17:20 /networking/class-a-nets.html
74.119.118.50 US, United States 27/Jul/2021:10:17:17 /cybersecurity/root-password.html
208.78.212.5 US, United States 27/Jul/2021:10:17:00 /open-source/performance-tuning/tcp.html
5.255.253.108 RU, Russian Federation 27/Jul/2021:10:16:05 /travel/usa/new-york-st-marks-place/
51.255.65.46 FR, France 27/Jul/2021:10:16:02 /travel/uk/glastonbury/king-arthur.html
125.35.71.38 CN, China 27/Jul/2021:10:14:32 /open-source/raspberry-pi/sdr-ads-b-piaware-and-fr24feed.html
178.222.175.59 RS, Serbia 27/Jul/2021:10:14:19 /turkish/verbs.html
49.7.20.108 CN, China 27/Jul/2021:10:14:02 /networking/sdn.html
78.122.5.23 FR, France 27/Jul/2021:10:13:14 /open-source/performance-tuning/tcp.html
114.119.162.80 CN, China 27/Jul/2021:10:13:13 /oliver-cromwell/
123.183.224.101 CN, China 27/Jul/2021:10:13:10 /open-source/vim-word-count.html
128.30.52.73 US, United States 27/Jul/2021:10:12:41 /networking/netstat-s.html
66.249.79.97 US, United States 27/Jul/2021:10:12:41 /travel/trinidad/port-of-spain.html
34.91.2.10 US, United States 27/Jul/2021:10:12:10 /travel/
34.91.2.10 US, United States 27/Jul/2021:10:12:09 /radio/
34.91.2.10 US, United States 27/Jul/2021:10:12:09 /3d/
34.91.2.10 US, United States 27/Jul/2021:10:12:09 /turkish/

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages