Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

66.249.79.3 US, United States 04/Dec/2020:04:14:58 /open-source/rhel-centos-5-6-7-8/booting.html
199.59.150.183 US, United States 04/Dec/2020:04:14:53 /travel/egypt/giza.html?s=tb
34.219.30.181 US, United States 04/Dec/2020:04:14:45 /open-source/uefi.html
198.74.56.254 US, United States 04/Dec/2020:04:14:42 /travel/mexico/cholula-puebla.html?s=tb
198.74.56.254 US, United States 04/Dec/2020:04:14:42 /robots.txt
216.208.51.73 CA, Canada 04/Dec/2020:04:14:33 /open-source/performance-tuning/nfs.html
37.187.162.183 FR, France 04/Dec/2020:04:14:23 /travel/mexico/cholula-puebla.html?s=tb
3.218.77.26 US, United States 04/Dec/2020:04:14:19 /travel/mexico/cholula-puebla.html?s=tb
116.202.35.126 IN, India 04/Dec/2020:04:14:19 /travel/mexico/cholula-puebla.html?s=tb
54.212.207.44 US, United States 04/Dec/2020:04:14:14 /travel/mexico/cholula-puebla.html?s=tb
54.212.207.44 US, United States 04/Dec/2020:04:14:13 /travel/mexico/cholula-puebla.html?s=tb
54.189.148.80 US, United States 04/Dec/2020:04:14:13 /open-source/uefi.html
114.119.131.248 CN, China 04/Dec/2020:04:14:11 /technical/html4-or-xhtml-to-html5.html
178.32.216.192 FR, France 04/Dec/2020:04:14:07 /travel/mexico/cholula-puebla.html?s=tb
50.254.133.121 US, United States 04/Dec/2020:04:14:06 /travel/mexico/cholula-puebla.html?s=tb
17.58.100.83 US, United States 04/Dec/2020:04:14:01 /travel/mexico/cholula-puebla.html?s=tb
199.59.150.181 US, United States 04/Dec/2020:04:14:01 /travel/mexico/cholula-puebla.html?s=tb
101.166.26.243 AU, Australia 04/Dec/2020:04:13:48 /travel/usa/new-york-mcgees/
109.194.162.115 RU, Russian Federation 04/Dec/2020:04:13:24 /open-source/lvm-rescue-boot.html
174.73.234.192 US, United States 04/Dec/2020:04:12:53 /travel/turkey/lycia/
195.154.122.166 FR, France 04/Dec/2020:04:12:27 /travel/france/normandy/utah-beach-hike.html
54.36.148.126 FR, France 04/Dec/2020:04:12:26 /travel/france/normandy/utah-beach-hike.html
82.82.130.30 DE, Germany 04/Dec/2020:04:12:24 /cybersecurity/root-password.html
66.249.79.31 US, United States 04/Dec/2020:04:12:20 /3d/xray/scanner.html
51.178.176.112 FR, France 04/Dec/2020:04:12:18 /open-source/uefi.html
34.205.166.102 US, United States 04/Dec/2020:04:12:08 /robots.txt
54.236.42.135 US, United States 04/Dec/2020:04:12:08 /
54.36.149.211 FR, France 04/Dec/2020:04:11:20 /cybersecurity/comptia/linux-windows-files.html
114.119.139.48 CN, China 04/Dec/2020:04:11:00 /travel/italy/amalfi/01-arriving-in-atrani.html
194.29.32.129 IL, Israel 04/Dec/2020:04:10:59 /open-source/uefi.html
194.29.32.129 IL, Israel 04/Dec/2020:04:10:58 /open-source/uefi.html
17.58.100.83 US, United States 04/Dec/2020:04:10:51 /travel/japan/kofun/emperor-seimu.html
66.249.79.5 US, United States 04/Dec/2020:04:10:40 /fun/brilliant-movie-ideas/
76.25.105.123 US, United States 04/Dec/2020:04:10:31 /technical/dsl/
95.216.246.97 FI, Finland 04/Dec/2020:04:10:23 /open-source/uefi.html
95.216.246.97 FI, Finland 04/Dec/2020:04:10:21 /open-source/uefi.html
95.216.246.97 FI, Finland 04/Dec/2020:04:10:21 /open-source/uefi.html
95.163.255.159 RU, Russian Federation 04/Dec/2020:04:10:01 /robots.txt
148.251.135.37 DE, Germany 04/Dec/2020:04:09:59 /open-source/uefi.html
70.179.1.139 US, United States 04/Dec/2020:04:09:42 /open-source/stig-compliance.html
185.191.171.14 MD, Moldova, Republic of 04/Dec/2020:04:09:38 /travel/france/loire-valley/chinon.html
35.153.39.7 US, United States 04/Dec/2020:04:09:34 /3d/3d-sensor.html
35.153.39.7 US, United States 04/Dec/2020:04:09:34 /robots.txt
100.24.238.89 US, United States 04/Dec/2020:04:09:32 /open-source/uefi.html
66.249.79.3 US, United States 04/Dec/2020:04:09:32 /cybersecurity/monitoring.html
199.192.122.127 US, United States 04/Dec/2020:04:09:23 /radio/tv-antenna.html
54.36.148.134 FR, France 04/Dec/2020:04:09:02 /travel/japan/ise/inner-shrine.html
114.119.149.81 CN, China 04/Dec/2020:04:08:53 /cybersecurity/cyberwar/qatar.html
138.201.35.109 DE, Germany 04/Dec/2020:04:08:45 /open-source/uefi.html
66.102.8.7 US, United States 04/Dec/2020:04:08:36 /open-source/uefi.html
107.178.237.27 US, United States 04/Dec/2020:04:08:35 /open-source/uefi.html
172.58.228.24 US, United States 04/Dec/2020:04:08:20 /travel/usa/new-york-fictional-architecture/upper-west-side.html
116.202.35.110 IN, India 04/Dec/2020:04:08:18 /open-source/uefi.html
66.249.79.5 US, United States 04/Dec/2020:04:08:01 /open-source/hp-envy-xsane.html
17.58.106.18 US, United States 04/Dec/2020:04:08:00 /open-source/uefi.html
174.204.65.148 US, United States 04/Dec/2020:04:08:00 /technical/dsl/
17.58.100.83 US, United States 04/Dec/2020:04:08:00 /open-source/uefi.html
199.59.150.182 US, United States 04/Dec/2020:04:08:00 /open-source/uefi.html
100.24.12.254 US, United States 04/Dec/2020:04:07:31 /turkish/verbs.html
54.36.148.121 FR, France 04/Dec/2020:04:07:19 /travel/france/loire-valley/chinon.html?s=tb
73.47.56.142 US, United States 04/Dec/2020:04:06:57 /cybersecurity/lt589/chapter7a.html?infolinks=no
73.47.56.142 US, United States 04/Dec/2020:04:06:47 /cybersecurity/lt589/chapter7.html?infolinks=no
68.41.124.219 US, United States 04/Dec/2020:04:06:31 /travel/uk/lee-ho-fook/
66.249.79.3 US, United States 04/Dec/2020:04:06:26 /travel/bulgaria/food/
68.41.124.219 US, United States 04/Dec/2020:04:06:12 /travel/uk/lee-ho-fook/
216.18.204.214 US, United States 04/Dec/2020:04:05:52 /travel/latvia/
114.119.166.63 CN, China 04/Dec/2020:04:05:50 /travel/uk/the-road-to-the-isles/?s=tb
35.239.58.193 US, United States 04/Dec/2020:04:05:06 /robots.txt
211.197.18.247 KR, Korea, Republic of 04/Dec/2020:04:05:05 /open-source/migrate-rhel-to-centos.html
136.243.7.214 DE, Germany 04/Dec/2020:04:05:04 /travel/japan/kofun/empress-jingu.html
152.67.128.219 US, United States 04/Dec/2020:04:05:00 /travel/belgium/bastogne-ardennes/houffalize-malmedy-st-hubert.html
77.75.77.72 CZ, Czech Republic 04/Dec/2020:04:04:36 /robots.txt
95.216.226.113 FI, Finland 04/Dec/2020:04:04:35 /open-source/linux-alpha.html
73.47.56.142 US, United States 04/Dec/2020:04:03:58 /cybersecurity/lt589/chapter7a.html?infolinks=no
114.119.135.34 CN, China 04/Dec/2020:04:03:38 /cybersecurity/cloud-survey.html
132.145.9.5 US, United States 04/Dec/2020:04:03:22 /cybersecurity/ec2-secure-storage.html
66.249.79.3 US, United States 04/Dec/2020:04:03:20 /networking/terminology.html
177.37.24.35 BR, Brazil 04/Dec/2020:04:02:28 /open-source/sendmail-ssl.html
37.187.162.187 FR, France 04/Dec/2020:04:02:15 /travel/canada/canada-vs-us/?s=tb
66.249.79.5 US, United States 04/Dec/2020:04:02:11 /open-source/samba-active-directory/
42.200.73.228 HK, Hong Kong 04/Dec/2020:04:01:50 /open-source/performance-tuning/tcp.html
66.249.79.5 US, United States 04/Dec/2020:04:01:47 /russian/latex.html
135.181.102.122 CA, Canada 04/Dec/2020:04:01:36 /cybersecurity/intrusion.html
132.145.66.156 US, United States 04/Dec/2020:04:01:35 /travel/uk/stonehenge/
132.145.11.125 US, United States 04/Dec/2020:04:01:35 /travel/uk/stonehenge/
132.145.66.156 US, United States 04/Dec/2020:04:01:35 /travel/uk/stonehenge/
46.149.166.56 UA, Ukraine 04/Dec/2020:04:01:30 /travel/italy/cinque-terre/?s=tb
211.197.18.247 KR, Korea, Republic of 04/Dec/2020:04:01:15 /open-source/migrate-rhel-to-centos.html
73.47.56.142 US, United States 04/Dec/2020:04:00:50 /cybersecurity/lt589/chapter7.html?infolinks=no
45.56.152.38 HK, Hong Kong 04/Dec/2020:04:00:42 /open-source/performance-tuning/tcp.html
123.153.123.170 CN, China 04/Dec/2020:04:00:42 /
204.15.208.35 Unknown 04/Dec/2020:04:00:41 /travel/turkey/nemrut-dagi/
73.47.56.142 US, United States 04/Dec/2020:04:00:14 /cybersecurity/lt589/chapter6.html?infolinks=no
66.249.79.31 US, United States 04/Dec/2020:04:00:14 /travel/usa/us-wash-masonic.html
73.47.56.142 US, United States 04/Dec/2020:04:00:11 /cybersecurity/lt589/chapter7.html?infolinks=no
50.204.31.178 US, United States 04/Dec/2020:04:00:09 /open-source/rhel-centos-5-6-7-8/logging.html
140.238.95.199 US, United States 04/Dec/2020:04:00:06 /open-source/samba-active-directory/freebsd-raspberry-pi.html
140.238.81.78 US, United States 04/Dec/2020:04:00:02 /technical/samsung-galaxy/ssh.html
95.217.145.59 FI, Finland 04/Dec/2020:03:59:56 /travel/france/boat-trip-canal-lateral-a-la-loire/?s=tb
95.217.145.59 FI, Finland 04/Dec/2020:03:59:55 /robots.txt
86.105.51.196 DE, Germany 04/Dec/2020:03:59:50 /travel/usa/san-francisco-haight-ashbury/?s=tb
174.73.234.192 US, United States 04/Dec/2020:03:59:42 /travel/turkey/lycia/
66.249.79.31 US, United States 04/Dec/2020:03:59:40 /travel/turkey/gallipoli/
165.225.122.157 US, United States 04/Dec/2020:03:59:29 /open-source/build-packages.html
40.77.167.25 US, United States 04/Dec/2020:03:59:25 /travel/egypt/giza.html
132.145.66.116 US, United States 04/Dec/2020:03:59:22 /cybersecurity/descrambler.html
157.55.39.33 US, United States 04/Dec/2020:03:59:21 /robots.txt
66.249.79.31 US, United States 04/Dec/2020:03:59:02 /travel/japan/kofun/empress-iwa-no-hime.html
204.15.208.25 Unknown 04/Dec/2020:03:58:48 /travel/france/ronin/
73.15.14.4 US, United States 04/Dec/2020:03:58:20 /travel/usa/san-francisco-haight-ashbury/?s=tb
114.119.150.64 CN, China 04/Dec/2020:03:58:20 /robots.txt
198.54.104.246 US, United States 04/Dec/2020:03:58:18 /open-source/openbsd-qemu-windows-howto.html
73.15.14.4 US, United States 04/Dec/2020:03:58:18 /travel/usa/san-francisco-haight-ashbury/?s=tb
116.202.35.80 IN, India 04/Dec/2020:03:58:17 /travel/usa/san-francisco-haight-ashbury/?s=tb
198.74.56.254 US, United States 04/Dec/2020:03:58:16 /travel/usa/san-francisco-haight-ashbury/?s=tb
198.74.56.254 US, United States 04/Dec/2020:03:58:16 /robots.txt
152.67.138.180 US, United States 04/Dec/2020:03:58:12 /travel/uk/national-grid-os-maps/
198.27.82.205 CA, Canada 04/Dec/2020:03:58:06 /travel/usa/san-francisco-haight-ashbury/?s=tb
35.173.18.250 US, United States 04/Dec/2020:03:58:05 /travel/usa/san-francisco-haight-ashbury/?s=tb
51.91.152.150 FR, France 04/Dec/2020:03:58:04 /travel/usa/san-francisco-haight-ashbury/?s=tb
199.59.150.181 US, United States 04/Dec/2020:03:58:01 /travel/usa/san-francisco-haight-ashbury/?s=tb
17.58.100.83 US, United States 04/Dec/2020:03:58:01 /travel/usa/san-francisco-haight-ashbury/?s=tb
54.221.66.204 US, United States 04/Dec/2020:03:57:57 /travel/greece/tiryns.html
54.221.66.204 US, United States 04/Dec/2020:03:57:57 /travel/greece/tiryns.html?s=tb
216.18.204.214 US, United States 04/Dec/2020:03:57:51 /travel/china/yangshuo.html
66.249.79.3 US, United States 04/Dec/2020:03:57:13 /technical/html-php-css.html
157.55.39.201 US, United States 04/Dec/2020:03:57:09 /technical/dsl/
66.249.79.3 US, United States 04/Dec/2020:03:57:08 /travel/france/marseille/
140.238.95.47 US, United States 04/Dec/2020:03:56:47 /travel/france/mont-saint-michel-saint-malo/
140.238.95.47 US, United States 04/Dec/2020:03:56:47 /travel/france/mont-saint-michel-saint-malo/
140.238.95.47 US, United States 04/Dec/2020:03:56:45 /travel/france/mont-saint-michel-saint-malo/
107.178.196.205 US, United States 04/Dec/2020:03:56:38 /travel/greece/meteora.html?s=tb
107.178.196.207 US, United States 04/Dec/2020:03:56:38 /travel/greece/meteora.html?s=tb

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages