Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?


First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top. US, United States 23/Sep/2020:14:46:35 /robots.txt NL, Netherlands 23/Sep/2020:14:46:26 / FR, France 23/Sep/2020:14:46:23 /open-source/lvm-rescue-boot.html RU, Russian Federation 23/Sep/2020:14:46:00 /open-source/keyboard-mouse.html RU, Russian Federation 23/Sep/2020:14:45:59 /open-source/ MD, Moldova, Republic of 23/Sep/2020:14:45:32 /travel/france/marseille/coast-road.html MD, Moldova, Republic of 23/Sep/2020:14:45:32 /robots.txt US, United States 23/Sep/2020:14:45:13 /travel/usa/new-york-st-marks-place/ US, United States 23/Sep/2020:14:45:13 /open-source/performance-tuning/file-systems.html ES, Spain 23/Sep/2020:14:45:09 /travel/usa/new-york-st-marks-place/ US, United States 23/Sep/2020:14:45:05 /travel/france/normandy/brecourt-manor.html US, United States 23/Sep/2020:14:45:04 /open-source/performance-tuning/file-systems.html PT, Portugal 23/Sep/2020:14:44:50 /travel/usa/new-york-phone-booths/ DE, Germany 23/Sep/2020:14:44:41 /travel/uk/scotland-isle-of-iona/iona.html?s=tb US, United States 23/Sep/2020:14:44:34 /travel/usa/us-wash-masonic.html US, United States 23/Sep/2020:14:44:06 /travel/uk/scotland-isle-of-iona/iona.html?s=tb US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb PT, Portugal 23/Sep/2020:14:43:56 /travel/usa/new-york-phone-booths/ US, United States 23/Sep/2020:14:43:40 /cybersecurity/privacy-policy.html US, United States 23/Sep/2020:14:43:35 /ads.txt DE, Germany 23/Sep/2020:14:43:17 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:42:39 /cybersecurity/isc2-ccsp/ SG, Singapore 23/Sep/2020:14:42:36 /ads.txt US, United States 23/Sep/2020:14:42:23 /open-source/xsane-invalid-argument.html DE, Germany 23/Sep/2020:14:42:22 /open-source/performance-tuning/ethernet.html IN, India 23/Sep/2020:14:42:09 /open-source/openbsd-qemu-windows-howto.html US, United States 23/Sep/2020:14:42:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb US, United States 23/Sep/2020:14:42:01 /robots.txt US, United States 23/Sep/2020:14:41:43 /cybersecurity/isc2-ccsp/ US, United States 23/Sep/2020:14:41:20 /travel/france/normandy/brecourt-manor.html DE, Germany 23/Sep/2020:14:41:17 /open-source/performance-tuning/ethernet.html FR, France 23/Sep/2020:14:41:11 /cybersecurity/cyberwar/kyrgyzstan.html CA, Canada 23/Sep/2020:14:40:57 /open-source/xsane-invalid-argument.html CA, Canada 23/Sep/2020:14:40:56 /travel/france/avignon/corrupt-popes.html US, United States 23/Sep/2020:14:40:47 /travel/usa/new-york-fictional-architecture/upper-west-side.html CN, China 23/Sep/2020:14:40:46 / CN, China 23/Sep/2020:14:40:42 / FR, France 23/Sep/2020:14:40:28 /open-source/raspberry-pi/networking.html US, United States 23/Sep/2020:14:40:18 / DE, Germany 23/Sep/2020:14:40:17 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:40:01 /travel/france/thomas-jefferson/ DE, Germany 23/Sep/2020:14:39:46 /travel/japan/kofun/empress-hibasuhime.html?s=tb DE, Germany 23/Sep/2020:14:39:46 /robots.txt DE, Germany 23/Sep/2020:14:39:17 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:39:17 /technical/bios.html TR, Turkey 23/Sep/2020:14:39:08 /technical/html4-or-xhtml-to-html5.html CA, Canada 23/Sep/2020:14:39:08 /travel/japan/kofun/empress-hibasuhime.html?s=tb US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb NL, Netherlands 23/Sep/2020:14:38:45 /open-source/performance-tuning/tcp.html NL, Netherlands 23/Sep/2020:14:38:45 /open-source/performance-tuning/tcp.html NL, Netherlands 23/Sep/2020:14:38:44 /open-source/performance-tuning/disks.html MM, Myanmar 23/Sep/2020:14:38:42 /open-source/linux-amd-radeon-gpu/ US, United States 23/Sep/2020:14:38:39 /radio/tv-antenna.html?s=tb NL, Netherlands 23/Sep/2020:14:38:36 /open-source/performance-tuning/ DE, Germany 23/Sep/2020:14:38:17 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:37:52 /travel/turkey/hatusas/ DE, Germany 23/Sep/2020:14:37:25 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:37:23 /robots.txt US, United States 23/Sep/2020:14:37:22 /turkish/word-order.html US, United States 23/Sep/2020:14:37:02 /travel/france/normandy/brecourt-manor.html US, United States 23/Sep/2020:14:36:55 /technical/dsl/ US, United States 23/Sep/2020:14:36:48 /travel/usa/new-york-fictional-architecture/upper-west-side.html NL, Netherlands 23/Sep/2020:14:36:43 /open-source/performance-tuning/file-systems.html US, United States 23/Sep/2020:14:36:19 /travel/usa/new-york-revolutionary/ GB, United Kingdom 23/Sep/2020:14:36:03 /travel/france/provence-megaliths/ DE, Germany 23/Sep/2020:14:35:31 /open-source/performance-tuning/ethernet.html FR, France 23/Sep/2020:14:35:20 /radio/internet-radio.html US, United States 23/Sep/2020:14:35:16 /networking/commands.html US, United States 23/Sep/2020:14:35:14 /3d/extrema.html US, United States 23/Sep/2020:14:34:54 /travel/greece/delos.html US, United States 23/Sep/2020:14:34:24 /open-source/samba-active-directory/ Unknown 23/Sep/2020:14:34:22 /travel/france/coulee-verte/ GB, United Kingdom 23/Sep/2020:14:34:17 /open-source/nginx-tls-1.3/running-tls-1.3.html DE, Germany 23/Sep/2020:14:34:16 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:34:05 /robots.txt VN, Vietnam 23/Sep/2020:14:33:26 /open-source/performance-tuning/nfs.html VN, Vietnam 23/Sep/2020:14:33:26 /robots.txt DE, Germany 23/Sep/2020:14:33:16 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:32:57 /open-source/sendmail-ssl.html US, United States 23/Sep/2020:14:32:26 /turkish/verbs.html HR, Croatia 23/Sep/2020:14:32:19 /open-source/build-packages.html DE, Germany 23/Sep/2020:14:32:17 /open-source/performance-tuning/ethernet.html CA, Canada 23/Sep/2020:14:31:44 /open-source/rhel-centos-5-6-7-8/ US, United States 23/Sep/2020:14:31:43 /open-source/openbsd-qemu-windows-howto.html GB, United Kingdom 23/Sep/2020:14:31:42 /open-source/raspberry-pi/sdr-getting-started.html DE, Germany 23/Sep/2020:14:31:16 /open-source/performance-tuning/ethernet.html IE, Ireland 23/Sep/2020:14:31:10 /open-source/performance-tuning/tcp.html CH, Switzerland 23/Sep/2020:14:30:50 /open-source/openbsd-wireless-wpa2.html US, United States 23/Sep/2020:14:30:38 /cybersecurity/isc2-cissp/ DE, Germany 23/Sep/2020:14:30:19 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:30:11 /cybersecurity/intrusion.html US, United States 23/Sep/2020:14:29:45 /cybersecurity/isc2-cissp/ US, United States 23/Sep/2020:14:29:44 /open-source/migrate-rhel-to-centos.html FR, France 23/Sep/2020:14:29:33 /fun/santaism.html US, United States 23/Sep/2020:14:29:28 /radio/fort-tuthill.html US, United States 23/Sep/2020:14:29:27 /robots.txt DE, Germany 23/Sep/2020:14:29:18 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:28:32 /open-source/linux-break-in-howto.html DE, Germany 23/Sep/2020:14:28:16 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:28:06 /open-source/openbsd-qemu-windows-howto.html US, United States 23/Sep/2020:14:28:04 /ads.txt US, United States 23/Sep/2020:14:28:04 /robots.txt US, United States 23/Sep/2020:14:28:02 /open-source/openbsd-qemu-windows-howto.html DE, Germany 23/Sep/2020:14:27:50 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:27:48 /travel/italy/paestum/ DE, Germany 23/Sep/2020:14:27:22 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:27:05 /technical/dsl/ DE, Germany 23/Sep/2020:14:26:19 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:26:08 /travel/france/normandy/brecourt-manor.html MD, Moldova, Republic of 23/Sep/2020:14:25:32 /travel/belgium/bastogne-ardennes/bastogne.html FR, France 23/Sep/2020:14:25:31 /travel/bulgaria/food/ DE, Germany 23/Sep/2020:14:25:26 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:25:14 /travel/turkey/mountain-trek/?s=tb US, United States 23/Sep/2020:14:25:13 /open-source/ US, United States 23/Sep/2020:14:25:12 /travel/usa/new-york-phone-booths/ DE, Germany 23/Sep/2020:14:24:18 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:24:15 /open-source/google-freebsd-tls/apache-http2-php.html FR, France 23/Sep/2020:14:24:08 /travel/belgium/belgian-beers/mappa-mundo.html US, United States 23/Sep/2020:14:23:52 /technical/dsl/ DE, Germany 23/Sep/2020:14:23:25 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:23:19 /open-source/sendmail-ssl.html US, United States 23/Sep/2020:14:22:58 /travel/japan/kofun/Index.html BR, Brazil 23/Sep/2020:14:22:33 /open-source/samba-active-directory/ DE, Germany 23/Sep/2020:14:22:17 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:22:10 /open-source/rhel-centos-5-6-7-8/ US, United States 23/Sep/2020:14:22:00 /travel/usa/north-carolina/ US, United States 23/Sep/2020:14:21:19 /cybersecurity/isc2-cissp/ DE, Germany 23/Sep/2020:14:21:15 /open-source/performance-tuning/ethernet.html JP, Japan 23/Sep/2020:14:21:10 /travel/russia/before-and-after.html US, United States 23/Sep/2020:14:21:00 /technical/dsl/ US, United States 23/Sep/2020:14:20:44 /travel/france/normandy/reenactors.html US, United States 23/Sep/2020:14:20:21 /cybersecurity/physical.html DE, Germany 23/Sep/2020:14:20:20 /open-source/performance-tuning/ethernet.html US, United States 23/Sep/2020:14:20:07 /technical/dsl/ US, United States 23/Sep/2020:14:20:03 /3d/xray/ US, United States 23/Sep/2020:14:19:51 /brewing/brewing-references.html US, United States 23/Sep/2020:14:19:23 /travel/japan/nikko/takino-shrine-path.html?s=tb FR, France 23/Sep/2020:14:19:17 / FR, France 23/Sep/2020:14:18:32 /travel/syria/hamah.html US, United States 23/Sep/2020:14:18:25 /open-source/sendmail-ssl.html MD, Moldova, Republic of 23/Sep/2020:14:18:22 /technical/current-box.html US, United States 23/Sep/2020:14:18:17 /open-source/stig-compliance.html US, United States 23/Sep/2020:14:17:35 /travel/bulgaria/veliko-tarnovo/ US, United States 23/Sep/2020:14:17:28 /open-source/nginx-tls-1.3/ US, United States 23/Sep/2020:14:17:00 /open-source/sendmail-ssl.html BR, Brazil 23/Sep/2020:14:16:54 /open-source/samba-active-directory/ RU, Russian Federation 23/Sep/2020:14:16:38 /travel/france/saint-denis/ RU, Russian Federation 23/Sep/2020:14:16:37 /travel/france/saint-denis/Index.html US, United States 23/Sep/2020:14:16:30 /open-source/windows-xp-with-office-2007.html IE, Ireland 23/Sep/2020:14:16:22 /travel/france/school-lunch-menus/ IE, Ireland 23/Sep/2020:14:16:22 /turkish/ IE, Ireland 23/Sep/2020:14:16:21 /radio/power-meter.html FR, France 23/Sep/2020:14:16:07 /travel/france/avignon/avignon-papacy.html?s=tb FR, France 23/Sep/2020:14:16:06 /travel/italy/napoli/?s=tb FR, France 23/Sep/2020:14:16:04 /travel/japan/kofun/empress-iwa-no-hime.html?s=tb FR, France 23/Sep/2020:14:16:04 /travel/japan/kofun/saki-gouran.html?s=tb FR, France 23/Sep/2020:14:16:03 /travel/greece/mykonos.html?s=tb GB, United Kingdom 23/Sep/2020:14:16:00 /travel/france/coulee-verte/

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, through are orange shifting to yellow, through are shades of green, the /16 networks through about are shades of blue, then it's shades of purple into magenta for the /24 networks and up through

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:


# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);

Other Pages