Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

34.228.143.13 US, United States 22/Feb/2019:20:09:00 /robots.txt
190.210.82.163 AR, Argentina 22/Feb/2019:20:08:47 /open-source/sendmail-ssl.html
209.159.210.172 US, United States 22/Feb/2019:20:08:21 /open-source/pdf-not-authorized.html
76.64.122.3 CA, Canada 22/Feb/2019:20:08:08 /open-source/sendmail-ssl.html
77.75.78.162 CZ, Czech Republic 22/Feb/2019:20:07:40 /cybersecurity/regulations.html
18.223.108.8 US, United States 22/Feb/2019:20:07:29 /
40.77.167.36 US, United States 22/Feb/2019:20:06:46 /fun/freudian-seuss.html
66.249.79.151 US, United States 22/Feb/2019:20:06:40 /open-source/rhel-centos-5-6-7-8/logging.html
77.75.78.162 CZ, Czech Republic 22/Feb/2019:20:06:35 /robots.txt
46.24.58.131 ES, Spain 22/Feb/2019:20:06:35 /open-source/linux-boot.html
148.64.56.115 GB, United Kingdom 22/Feb/2019:20:06:09 /turkish/orthography.html
95.163.255.147 RU, Russian Federation 22/Feb/2019:20:06:06 /robots.txt
89.101.242.130 IE, Ireland 22/Feb/2019:20:05:52 /open-source/performance-tuning/nfs.html
180.76.15.10 CN, China 22/Feb/2019:20:05:32 /travel/bulgaria/food/
90.202.23.235 GB, United Kingdom 22/Feb/2019:20:04:14 /turkish/background.html
192.69.253.141 US, United States 22/Feb/2019:20:04:10 /travel/belgium/bastogne-ardennes/bastogne.html
74.134.76.95 US, United States 22/Feb/2019:20:04:01 /open-source/raspberry-pi/openvas.html
207.46.13.140 US, United States 22/Feb/2019:20:03:58 /cybersecurity/physical.html
66.249.79.153 US, United States 22/Feb/2019:20:03:26 /open-source/raspberry-pi/ads-b-antenna.html
72.24.138.70 US, United States 22/Feb/2019:20:03:10 /networking/nat.html
40.77.167.178 US, United States 22/Feb/2019:20:02:52 /travel/uk/scotland-pitlochry/
159.53.110.143 US, United States 22/Feb/2019:20:02:52 /technical/dsl/
207.46.13.140 US, United States 22/Feb/2019:20:02:46 /travel/mexico/teotihuacan.html
90.202.23.235 GB, United Kingdom 22/Feb/2019:20:02:30 /turkish/
157.166.167.132 US, United States 22/Feb/2019:20:01:40 /travel/uk/lee-ho-fook/
94.162.138.10 IT, Italy 22/Feb/2019:20:00:44 /open-source/openbsd-qemu-windows-howto.html
192.69.253.141 US, United States 22/Feb/2019:20:00:23 /travel/belgium/bastogne-ardennes/ardennes-forest.html
66.249.79.153 US, United States 22/Feb/2019:20:00:13 /steampunk/lamp.html
12.9.239.78 US, United States 22/Feb/2019:20:00:09 /open-source/performance-tuning/tcp.html
40.77.167.36 US, United States 22/Feb/2019:20:00:01 /cybersecurity/
198.23.235.90 US, United States 22/Feb/2019:19:59:35 /travel/usa/new-york-skate-manhattan/
54.36.148.21 FR, France 22/Feb/2019:19:59:09 /fun/sarah-palin-baby-name-generator.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:58:40 /turkish/verbs.html
35.185.104.155 US, United States 22/Feb/2019:19:58:26 /
35.185.104.155 US, United States 22/Feb/2019:19:58:26 /robots.txt
35.185.104.155 US, United States 22/Feb/2019:19:58:25 /robots.txt
54.36.148.29 FR, France 22/Feb/2019:19:57:59 /open-source/letsencrypt-tls-cert-godaddy.html
213.87.147.144 RU, Russian Federation 22/Feb/2019:19:57:55 /turkish/background.html
67.183.149.200 US, United States 22/Feb/2019:19:57:20 /technical/dsl/
62.44.134.29 DK, Denmark 22/Feb/2019:19:57:13 /technical/dsl/
157.34.99.78 IN, India 22/Feb/2019:19:56:59 /technical/dsl/
213.87.147.144 RU, Russian Federation 22/Feb/2019:19:56:48 /turkish/
157.34.99.78 IN, India 22/Feb/2019:19:56:34 /technical/dsl/
186.193.207.10 BR, Brazil 22/Feb/2019:19:55:57 /open-source/rhel-centos-5-6-7-8/
213.87.147.144 RU, Russian Federation 22/Feb/2019:19:55:47 /turkish/
35.185.104.155 US, United States 22/Feb/2019:19:55:41 /robots.txt
148.64.56.125 GB, United Kingdom 22/Feb/2019:19:54:41 /travel/usa/detroit/detroit-part3.html
107.218.168.23 US, United States 22/Feb/2019:19:54:40 /radio/tv-antenna.html
190.160.185.52 CL, Chile 22/Feb/2019:19:54:03 /
158.26.2.172 US, United States 22/Feb/2019:19:54:02 /radio/rf-spectrum.html
212.178.237.12 RS, Serbia 22/Feb/2019:19:53:54 /open-source/sendmail-ssl.html
213.166.69.172 GB, United Kingdom 22/Feb/2019:19:53:50 /travel/usa/new-york-obama/
66.249.79.151 US, United States 22/Feb/2019:19:53:47 /travel/mexico/leon-trotsky.html
66.231.242.207 US, United States 22/Feb/2019:19:53:24 /open-source/compiling-wireshark-on-openbsd.html
148.64.56.75 GB, United Kingdom 22/Feb/2019:19:51:21 /3d/xray/lightbox.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:51:12 /turkish/word-order.html
180.76.15.34 CN, China 22/Feb/2019:19:50:49 /russian/
93.85.68.137 BY, Belarus 22/Feb/2019:19:50:43 /open-source/nginx-tls-1.3/running-tls-1.3.html
66.249.79.155 US, United States 22/Feb/2019:19:50:34 /travel/uk/glastonbury/holy-grail.html
17.58.98.240 US, United States 22/Feb/2019:19:50:18 /open-source/sysfs.html
54.36.148.98 FR, France 22/Feb/2019:19:50:16 /open-source/raspberry-pi/
12.198.157.83 US, United States 22/Feb/2019:19:50:12 /travel/usa/new-york-mcgees/
52.90.131.158 US, United States 22/Feb/2019:19:50:08 /
37.187.162.185 FR, France 22/Feb/2019:19:50:03 /travel/mexico/cholula-puebla.html?s=tweetbot
85.109.244.252 TR, Turkey 22/Feb/2019:19:50:03 /turkish/background.html
67.183.149.200 US, United States 22/Feb/2019:19:50:02 /technical/dsl/
54.159.167.42 US, United States 22/Feb/2019:19:49:55 /robots.txt
52.203.48.105 US, United States 22/Feb/2019:19:49:55 /turkish/language-reform.html
24.155.208.156 US, United States 22/Feb/2019:19:49:52 /
24.155.208.156 US, United States 22/Feb/2019:19:49:52 /robots.txt
85.109.244.252 TR, Turkey 22/Feb/2019:19:49:48 /turkish/language-reform.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:49:47 /turkish/language-reform.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:49:39 /turkish/verbs.html
134.134.139.76 US, United States 22/Feb/2019:19:49:23 /open-source/sysfs.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:49:11 /turkish/orthography.html
103.6.176.130 HK, Hong Kong 22/Feb/2019:19:49:00 /travel/turkey/trains/
85.109.244.252 TR, Turkey 22/Feb/2019:19:48:34 /turkish/
85.109.244.252 TR, Turkey 22/Feb/2019:19:48:30 /turkish/background.html
207.46.13.150 US, United States 22/Feb/2019:19:48:30 /3d/xray/
85.109.244.252 TR, Turkey 22/Feb/2019:19:48:29 /turkish/background.html
85.109.244.252 TR, Turkey 22/Feb/2019:19:48:28 /turkish/background.html
147.103.67.167 US, United States 22/Feb/2019:19:48:08 /open-source/openbsd-qemu-windows-howto.html
148.64.56.122 GB, United Kingdom 22/Feb/2019:19:47:52 /travel/usa/detroit/
66.249.79.155 US, United States 22/Feb/2019:19:47:23 /open-source/performance-tuning/
85.109.244.252 TR, Turkey 22/Feb/2019:19:46:59 /turkish/word-order.html
23.80.151.20 US, United States 22/Feb/2019:19:46:47 /cybersecurity/public-key.html
23.80.151.20 US, United States 22/Feb/2019:19:46:45 /pubs.html
23.80.151.20 US, United States 22/Feb/2019:19:46:44 /
23.80.151.20 US, United States 22/Feb/2019:19:46:43 /travel/
23.80.151.20 US, United States 22/Feb/2019:19:46:41 /open-source/
23.80.151.20 US, United States 22/Feb/2019:19:46:39 /cybersecurity/
23.80.151.20 US, United States 22/Feb/2019:19:46:38 /networking/
54.36.150.5 FR, France 22/Feb/2019:19:46:37 /travel/turkey/buses/Index.html
23.80.151.20 US, United States 22/Feb/2019:19:46:36 /technical/
23.80.151.20 US, United States 22/Feb/2019:19:46:35 /radio/
23.80.151.20 US, United States 22/Feb/2019:19:46:32 /site-map.html
23.80.151.20 US, United States 22/Feb/2019:19:46:31 /open-source/google-freebsd-tls/apache-http2-php.html
23.80.151.20 US, United States 22/Feb/2019:19:46:29 /open-source/nginx-tls-1.3/
23.80.151.20 US, United States 22/Feb/2019:19:46:27 /cybersecurity/privacy-policy.html
23.80.151.20 US, United States 22/Feb/2019:19:46:26 /cybersecurity/root-password.html
23.80.151.20 US, United States 22/Feb/2019:19:46:25 /contact.html
185.161.200.10 JP, Japan 22/Feb/2019:19:46:23 /open-source/build-packages.html
23.80.151.20 US, United States 22/Feb/2019:19:46:21 /contact.html
207.46.13.150 US, United States 22/Feb/2019:19:46:19 /travel/usa/venice-california/Index.html
40.77.167.36 US, United States 22/Feb/2019:19:45:45 /travel/usa/new-york-marvel/Index.html
86.167.175.253 GB, United Kingdom 22/Feb/2019:19:44:13 /travel/mexico/cholula-puebla.html?s=tweetbot
46.151.143.29 PL, Poland 22/Feb/2019:19:43:48 /technical/bios.html
88.99.195.200 DE, Germany 22/Feb/2019:19:43:24 /travel/mexico/cholula-puebla.html?s=tweetbot
71.221.74.177 US, United States 22/Feb/2019:19:43:11 /technical/dsl/
208.66.210.139 US, United States 22/Feb/2019:19:43:02 /turkish/nouns.html

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages