Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.236.52.68 US, United States 01/Oct/2022:10:19:22 /robots.txt
114.119.142.8 CN, China 01/Oct/2022:10:18:44 /open-source/kodi/
35.211.210.111 US, United States 01/Oct/2022:10:17:23 /ads.txt
114.119.142.85 CN, China 01/Oct/2022:10:17:20 /cybersecurity/hostile/mydoom.m.html
148.72.153.62 US, United States 01/Oct/2022:10:17:11 /radio/probes.html
24.118.47.11 US, United States 01/Oct/2022:10:17:08 /radio/probes.html
51.222.253.19 FR, France 01/Oct/2022:10:16:54 /fun/sarah-palin-baby-name-generator-reloaded.html
66.249.79.9 US, United States 01/Oct/2022:10:16:07 /travel/japan/kamakura/tokei-ji.html
2.205.45.64 DE, Germany 01/Oct/2022:10:16:02 /open-source/performance-tuning/tcp.html
114.119.142.8 CN, China 01/Oct/2022:10:15:55 /travel/chile/constitucion/?s=tb
157.55.39.234 US, United States 01/Oct/2022:10:15:54 /travel/japan/kamakura/
172.58.160.201 US, United States 01/Oct/2022:10:15:42 /travel/belgium/belgian-beers/absinthe-bar.html
114.119.142.85 CN, China 01/Oct/2022:10:14:05 /travel/greece/?s=tb
49.204.115.153 IN, India 01/Oct/2022:10:13:56 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
204.15.208.24 Unknown 01/Oct/2022:10:13:49 /cybersecurity/isc2-ccsp/
188.138.41.77 DE, Germany 01/Oct/2022:10:13:46 /
105.154.202.90 MA, Morocco 01/Oct/2022:10:13:21 /travel/morocco/tangier/medina.html?infolinks=no
54.217.18.132 IE, Ireland 01/Oct/2022:10:13:16 /
66.249.79.9 US, United States 01/Oct/2022:10:13:12 /
114.119.142.84 CN, China 01/Oct/2022:10:12:39 /travel/france/marseille/notre-dame-de-la-garde.html?s=tb
24.53.126.169 CA, Canada 01/Oct/2022:10:12:17 /cybersecurity/isc2-ccsp/
54.166.7.90 US, United States 01/Oct/2022:10:11:08 /radio/rhombic-antennas.html
74.119.118.28 US, United States 01/Oct/2022:10:11:00 /cybersecurity/isc2-ccsp/
24.53.126.169 CA, Canada 01/Oct/2022:10:10:47 /cybersecurity/isc2-ccsp/
72.14.199.105 US, United States 01/Oct/2022:10:09:53 /travel/uk/glastonbury/chalice-spring-tor.html
72.14.199.107 US, United States 01/Oct/2022:10:09:52 /open-source/samba-active-directory/
54.242.88.169 US, United States 01/Oct/2022:10:09:43 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
95.216.228.96 FI, Finland 01/Oct/2022:10:09:04 /radio/mwdx.html
185.23.254.116 GB, United Kingdom 01/Oct/2022:10:08:33 /travel/uk/glastonbury/chalice-spring-tor.html
152.67.138.180 US, United States 01/Oct/2022:10:08:25 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
114.119.142.8 CN, China 01/Oct/2022:10:08:00 /cybersecurity/cyberwar/qatar.html
72.14.199.107 US, United States 01/Oct/2022:10:07:52 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
202.186.178.222 MY, Malaysia 01/Oct/2022:10:07:35 /cybersecurity/isc2-ccsp/
182.161.74.74 SG, Singapore 01/Oct/2022:10:07:28 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
78.26.242.166 UA, Ukraine 01/Oct/2022:10:07:21 /open-source/samba-active-directory/
66.249.79.9 US, United States 01/Oct/2022:10:07:09 /open-source/google-freebsd-tls/apache-http2-php.html
3.81.47.10 US, United States 01/Oct/2022:10:06:49 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
49.204.115.153 IN, India 01/Oct/2022:10:06:47 /open-source/rhel-oracle-centos-6-7-8-9/networking.html
207.154.202.109 DE, Germany 01/Oct/2022:10:06:41 /ads.txt
114.119.142.8 CN, China 01/Oct/2022:10:06:38 /cybersecurity/cyberwar/
63.32.88.136 US, United States 01/Oct/2022:10:06:13 /
114.119.142.73 CN, China 01/Oct/2022:10:05:11 /travel/turkey/hatusas/
66.249.79.9 US, United States 01/Oct/2022:10:05:01 /travel/usa/detroit/
66.249.79.9 US, United States 01/Oct/2022:10:05:01 /travel/turkey/nemrut-dagi/
66.249.79.9 US, United States 01/Oct/2022:10:05:00 /travel/uk/stonehenge/
51.222.253.5 FR, France 01/Oct/2022:10:04:56 /travel/japan/kyoto/
114.119.142.73 CN, China 01/Oct/2022:10:03:47 /turkish/
77.75.78.171 CZ, Czech Republic 01/Oct/2022:10:02:50 /robots.txt
114.119.142.85 CN, China 01/Oct/2022:10:01:58 /travel/belgium/comic-book-art/
35.90.105.144 US, United States 01/Oct/2022:10:01:04 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
188.127.134.63 HU, Hungary 01/Oct/2022:10:00:43 /technical/samsung-galaxy/linux.html
66.249.79.9 US, United States 01/Oct/2022:10:00:29 /travel/france/detectives/
81.60.39.4 ES, Spain 01/Oct/2022:10:00:28 /travel/france/seine-river-art-history-monet/giverny.html
66.249.79.9 US, United States 01/Oct/2022:10:00:12 /travel/replace-sim-card/
80.61.111.78 NL, Netherlands 01/Oct/2022:10:00:02 /travel/uk/orkney-sousterrain/
66.181.187.130 MN, Mongolia 01/Oct/2022:09:59:37 /open-source/rpm-patch.html
51.222.253.18 FR, France 01/Oct/2022:09:59:13 /cybersecurity/comptia/domain-2-answers.html
213.225.0.8 AT, Austria 01/Oct/2022:09:58:40 /networking/switch-programming.html
213.225.0.8 AT, Austria 01/Oct/2022:09:58:29 /networking/switch-programming.html
114.119.142.73 CN, China 01/Oct/2022:09:57:18 /travel/japan/tokyo-akihabara/
213.225.0.8 AT, Austria 01/Oct/2022:09:57:10 /networking/switch-programming.html
135.181.221.184 CA, Canada 01/Oct/2022:09:56:43 /travel/uk/glen-nevis/
178.187.49.8 RU, Russian Federation 01/Oct/2022:09:56:00 /open-source/raspberry-pi/sdr-getting-started.html
114.119.142.85 CN, China 01/Oct/2022:09:55:52 /travel/japan/forty-seven-ronin/
72.14.199.105 US, United States 01/Oct/2022:09:55:45 /travel/morocco/tangier/medina.html?infolinks=no
66.249.79.11 US, United States 01/Oct/2022:09:55:27 /open-source/rhel-oracle-centos-6-7-8-9/storage.html
66.249.79.13 US, United States 01/Oct/2022:09:55:26 /travel/turkey/aphrodisias/
107.178.238.46 US, United States 01/Oct/2022:09:55:09 /travel/france/avignon/avignon-papacy.html?s=tb
64.71.131.243 US, United States 01/Oct/2022:09:54:09 /
51.222.253.9 FR, France 01/Oct/2022:09:53:55 /radio/ic-3220.html
34.229.252.79 US, United States 01/Oct/2022:09:53:47 /travel/morocco/tangier/medina.html
105.154.202.90 MA, Morocco 01/Oct/2022:09:53:46 /travel/morocco/tangier/medina.html?infolinks=no
199.59.150.182 US, United States 01/Oct/2022:09:53:19 /travel/china/yangshuo.html
114.119.142.85 CN, China 01/Oct/2022:09:53:08 /travel/france/budget-hotels/?s=tb
35.229.56.70 US, United States 01/Oct/2022:09:53:02 /robots.txt
35.229.56.70 US, United States 01/Oct/2022:09:53:01 /robots.txt
3.223.183.74 US, United States 01/Oct/2022:09:51:36 /travel/
66.249.79.13 US, United States 01/Oct/2022:09:51:27 /travel/france/boat/canal-selection-and-logs.html
95.85.76.160 RU, Russian Federation 01/Oct/2022:09:51:19 /open-source/google-freebsd-tls/tls-certificate.html
17.121.113.48 US, United States 01/Oct/2022:09:50:27 /travel/mexico/cholula-puebla.html?s=tb
198.27.82.109 CA, Canada 01/Oct/2022:09:50:18 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
114.119.142.73 CN, China 01/Oct/2022:09:49:50 /travel/france/normandy/arromanches.html
209.126.117.73 US, United States 01/Oct/2022:09:49:48 /travel/usa/venice-california/
194.29.32.129 IL, Israel 01/Oct/2022:09:49:45 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
194.29.32.129 IL, Israel 01/Oct/2022:09:49:45 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
194.29.32.129 IL, Israel 01/Oct/2022:09:49:44 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
194.29.32.129 IL, Israel 01/Oct/2022:09:49:44 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
31.151.52.121 NL, Netherlands 01/Oct/2022:09:49:29 /technical/samsung-galaxy/linux.html
207.241.231.44 US, United States 01/Oct/2022:09:49:22 /robots.txt
72.14.199.105 US, United States 01/Oct/2022:09:49:20 /turkish/nouns.html
95.217.144.236 FI, Finland 01/Oct/2022:09:49:16 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
95.217.144.236 FI, Finland 01/Oct/2022:09:49:16 /robots.txt
192.133.77.16 US, United States 01/Oct/2022:09:49:10 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
207.241.231.43 US, United States 01/Oct/2022:09:49:09 /robots.txt
207.241.232.241 US, United States 01/Oct/2022:09:49:08 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
207.241.232.241 US, United States 01/Oct/2022:09:49:07 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
207.241.232.241 US, United States 01/Oct/2022:09:49:06 /robots.txt
51.15.164.30 FR, France 01/Oct/2022:09:49:05 /
51.15.164.30 FR, France 01/Oct/2022:09:49:05 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
178.33.168.30 FR, France 01/Oct/2022:09:49:05 /travel/france/avignon/chateauneuf-du-pape.html?s=tb
136.243.79.224 DE, Germany 01/Oct/2022:09:49:05 /travel/france/avignon/chateauneuf-du-pape.html
136.243.79.224 DE, Germany 01/Oct/2022:09:49:05 /travel/france/avignon/chateauneuf-du-pape.html
51.222.253.3 FR, France 01/Oct/2022:09:48:52 /travel/france/seine-river-art-history-monet/
80.208.64.230 DK, Denmark 01/Oct/2022:09:48:45 /travel/uk/oxford-lewis-tolkien/
86.150.28.189 GB, United Kingdom 01/Oct/2022:09:48:37 /open-source/raspberry-pi/sdr-getting-started.html
114.119.142.73 CN, China 01/Oct/2022:09:48:28 /open-source/nginx-tls-1.3/security-performance-nginx.html
128.30.52.72 US, United States 01/Oct/2022:09:48:15 /travel/morocco/tangier/medina.html
51.159.110.176 FR, France 01/Oct/2022:09:47:35 /turkish/nouns.html
51.159.110.176 FR, France 01/Oct/2022:09:47:35 /turkish/nouns.html
82.6.79.77 GB, United Kingdom 01/Oct/2022:09:47:19 /turkish/orthography.html
46.4.83.150 DE, Germany 01/Oct/2022:09:47:08 /travel/japan/kamakura/engaku-ji.html
114.119.142.8 CN, China 01/Oct/2022:09:47:06 /travel/japan/koyasan/kongo-sanmai-in.html
178.250.0.207 FR, France 01/Oct/2022:09:46:37 /travel/france/seine-river-art-history-monet/la-roche-guyon.html
3.89.40.63 US, United States 01/Oct/2022:09:46:08 /travel/france/seine-river-art-history-monet/la-roche-guyon.html
95.216.228.92 FI, Finland 01/Oct/2022:09:46:06 /travel/turkey/ephesus/walk.html
81.60.39.4 ES, Spain 01/Oct/2022:09:45:45 /travel/france/seine-river-art-history-monet/la-roche-guyon.html
128.30.52.72 US, United States 01/Oct/2022:09:45:27 /travel/morocco/tangier/medina.html
114.119.142.84 CN, China 01/Oct/2022:09:45:15 /cybersecurity/
138.199.55.47 EU, Europe 01/Oct/2022:09:45:10 /open-source/rhel-oracle-centos-multimedia.html
136.243.79.224 DE, Germany 01/Oct/2022:09:44:37 /travel/uk/lee-ho-fook/
51.222.253.12 FR, France 01/Oct/2022:09:43:55 /travel/uk/orkney-neolithic/ring-of-brodgar.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages