Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

43.154.250.181 JP, Japan 13/Jul/2025:08:17:53 /cybersecurity/hostile/bagel.html
43.153.192.98 JP, Japan 13/Jul/2025:08:17:49 /cybersecurity/hostile/mydoom.m.html
79.112.28.241 RO, Romania 13/Jul/2025:08:17:46 /cybersecurity/history/uss-chaumont/history.html?s=mc
79.112.28.241 RO, Romania 13/Jul/2025:08:17:40 /cybersecurity/cyberwar/china.html?s=mc
79.112.28.241 RO, Romania 13/Jul/2025:08:17:40 /cybersecurity/pki-failures.html?s=mc
114.119.138.107 CN, China 13/Jul/2025:08:17:26 /3d/raytrace/
79.112.28.241 RO, Romania 13/Jul/2025:08:17:16 /open-source/google-freebsd-tls/apache-http2-php.html?s=mc
162.120.186.114 US, United States 13/Jul/2025:08:16:32 /travel/usa/new-york-lga-arrival/
79.112.28.241 RO, Romania 13/Jul/2025:08:16:32 /open-source/performance-tuning/tcp.html?s=mc
116.179.32.50 CN, China 13/Jul/2025:08:16:09 /travel/usa/new-york-jewish-les/
114.119.132.101 CN, China 13/Jul/2025:08:16:04 /travel/greece/ferries.html
47.242.183.144 US, United States 13/Jul/2025:08:15:56 /robots.txt
176.133.2.125 FR, France 13/Jul/2025:08:15:21 /blog/2023/01/03-whats-up-with-my-social-media.html
176.133.2.125 FR, France 13/Jul/2025:08:15:20 /
51.222.253.20 FR, France 13/Jul/2025:08:14:57 /sitemap.txt
45.92.124.119 Unknown 13/Jul/2025:08:14:31 /travel/chile/la-serena/
43.130.26.3 JP, Japan 13/Jul/2025:08:14:17 /travel/greece/patmos/monastery-hora.html
17.241.227.14 US, United States 13/Jul/2025:08:14:12 /travel/france/canal-du-midi/la-redorte-to-trebes.html
54.156.51.252 US, United States 13/Jul/2025:08:13:57 /travel/usa/new-york-hunter-s-thompson/
47.242.180.54 US, United States 13/Jul/2025:08:13:38 /robots.txt
43.165.135.242 JP, Japan 13/Jul/2025:08:12:58 /travel/greece/patmos/skala.html
101.33.81.73 CN, China 13/Jul/2025:08:12:47 /cybersecurity/hostile/gibe-f-worm.html
18.97.9.101 US, United States 13/Jul/2025:08:11:59 /open-source/performance-tuning/tcp.html
47.206.212.96 US, United States 13/Jul/2025:08:11:46 /travel/usa/ghostbusters/?s=mb
152.53.17.226 US, United States 13/Jul/2025:08:11:24 /
47.128.48.109 CA, Canada 13/Jul/2025:08:11:03 /travel/japan/ise/outer-shrine.html
43.155.162.41 JP, Japan 13/Jul/2025:08:10:40 /travel/greece/patmos/ferry-to-patmos.html
49.51.141.76 CN, China 13/Jul/2025:08:10:34 /cybersecurity/generalinfo.html
47.242.167.47 US, United States 13/Jul/2025:08:10:28 /robots.txt
152.136.141.88 CN, China 13/Jul/2025:08:10:24 /travel/japan/osaka/
152.136.141.88 CN, China 13/Jul/2025:08:10:24 /travel/japan/osaka/
43.133.66.51 JP, Japan 13/Jul/2025:08:10:10 /cybersecurity/generalinfo.html
178.136.42.73 UA, Ukraine 13/Jul/2025:08:10:06 /
52.167.144.24 US, United States 13/Jul/2025:08:09:53 /travel/belgium/bastogne-ardennes/bastogne.html
185.105.252.12 DE, Germany 13/Jul/2025:08:09:52 /
90.8.209.196 FR, France 13/Jul/2025:08:09:35 /rss.xml
43.155.26.193 JP, Japan 13/Jul/2025:08:09:25 /travel/usa/new-york-hp-lovecraft/
199.7.140.227 US, United States 13/Jul/2025:08:09:03 /blog/2023/01/03-whats-up-with-my-social-media.html
199.7.140.227 US, United States 13/Jul/2025:08:09:02 /
134.195.88.104 US, United States 13/Jul/2025:08:09:02 /blog/2023/01/03-whats-up-with-my-social-media.html
134.195.88.104 US, United States 13/Jul/2025:08:09:01 /
51.89.167.62 FR, France 13/Jul/2025:08:09:01 /blog/2023/01/03-whats-up-with-my-social-media.html
80.136.55.50 DE, Germany 13/Jul/2025:08:09:01 /
185.242.182.169 IT, Italy 13/Jul/2025:08:09:01 /blog/2023/01/03-whats-up-with-my-social-media.html
129.154.240.238 US, United States 13/Jul/2025:08:09:00 /blog/2023/01/03-whats-up-with-my-social-media.html
144.86.176.11 US, United States 13/Jul/2025:08:09:00 /blog/2023/01/03-whats-up-with-my-social-media.html
149.202.73.232 FR, France 13/Jul/2025:08:09:00 /blog/2023/01/03-whats-up-with-my-social-media.html
152.44.41.71 US, United States 13/Jul/2025:08:09:00 /blog/2023/01/03-whats-up-with-my-social-media.html
51.89.167.62 FR, France 13/Jul/2025:08:09:00 /
185.242.182.169 IT, Italy 13/Jul/2025:08:09:00 /
144.86.176.11 US, United States 13/Jul/2025:08:08:59 /
152.44.41.71 US, United States 13/Jul/2025:08:08:59 /
99.110.187.42 US, United States 13/Jul/2025:08:08:59 /blog/2023/01/03-whats-up-with-my-social-media.html
149.202.73.232 FR, France 13/Jul/2025:08:08:59 /
129.154.240.238 US, United States 13/Jul/2025:08:08:59 /
99.110.187.42 US, United States 13/Jul/2025:08:08:59 /
80.208.77.88 DK, Denmark 13/Jul/2025:08:08:58 /blog/2023/01/03-whats-up-with-my-social-media.html
185.161.147.228 DE, Germany 13/Jul/2025:08:08:58 /blog/2023/01/03-whats-up-with-my-social-media.html
80.208.77.88 DK, Denmark 13/Jul/2025:08:08:57 /
185.161.147.228 DE, Germany 13/Jul/2025:08:08:57 /
148.251.28.156 DE, Germany 13/Jul/2025:08:08:57 /blog/2023/01/03-whats-up-with-my-social-media.html
72.84.104.199 US, United States 13/Jul/2025:08:08:56 /blog/2023/01/03-whats-up-with-my-social-media.html
148.251.28.156 DE, Germany 13/Jul/2025:08:08:56 /
72.84.104.199 US, United States 13/Jul/2025:08:08:56 /
136.49.65.185 US, United States 13/Jul/2025:08:08:54 /
51.79.30.245 FR, France 13/Jul/2025:08:08:45 /
93.181.36.225 DE, Germany 13/Jul/2025:08:08:40 /
141.95.205.41 GB, United Kingdom 13/Jul/2025:08:08:37 /
62.144.160.17 DE, Germany 13/Jul/2025:08:08:28 /
43.157.191.20 JP, Japan 13/Jul/2025:08:07:54 /cybersecurity/isc2-ccsp/standards-and-regulations.html
78.105.216.131 GB, United Kingdom 13/Jul/2025:08:07:48 /
45.33.108.151 US, United States 13/Jul/2025:08:07:47 /
5.78.125.38 IR, Iran, Islamic Republic of 13/Jul/2025:08:07:39 /
44.231.121.60 US, United States 13/Jul/2025:08:07:39 /cybersecurity/basics/02-smart-phone-and-tablet.html
152.53.12.35 US, United States 13/Jul/2025:08:07:38 /
18.116.10.49 US, United States 13/Jul/2025:08:07:35 /cybersecurity/basics/02-smart-phone-and-tablet.html
38.40.2.176 US, United States 13/Jul/2025:08:07:35 /open-source/google-freebsd-tls/apache-http2-php.html?s=mc
138.199.149.193 EU, Europe 13/Jul/2025:08:07:29 /
43.156.232.190 JP, Japan 13/Jul/2025:08:07:22 /travel/usa/providence/poe.html
116.203.93.86 IN, India 13/Jul/2025:08:07:21 /robots.txt
167.71.128.79 US, United States 13/Jul/2025:08:07:15 /blog/2023/01/03-whats-up-with-my-social-media.html
167.71.128.79 US, United States 13/Jul/2025:08:07:14 /
45.26.230.243 US, United States 13/Jul/2025:08:07:13 /
47.242.143.59 US, United States 13/Jul/2025:08:07:10 /robots.txt
138.201.80.102 DE, Germany 13/Jul/2025:08:07:10 /
57.128.95.182 BE, Belgium 13/Jul/2025:08:07:05 /
79.112.28.241 RO, Romania 13/Jul/2025:08:07:05 /
176.9.51.79 DE, Germany 13/Jul/2025:08:06:59 /
94.16.121.77 DE, Germany 13/Jul/2025:08:06:57 /
129.154.43.68 US, United States 13/Jul/2025:08:06:55 /rss.xml
119.28.89.249 CN, China 13/Jul/2025:08:06:38 /cybersecurity/router-update.html
172.213.21.155 GB, United Kingdom 13/Jul/2025:08:06:26 /travel/athens-to-paris/gura-humorului-sighisoara.html
188.172.228.185 CA, Canada 13/Jul/2025:08:06:16 /
161.0.249.164 TT, Trinidad and Tobago 13/Jul/2025:08:06:08 /
159.69.240.81 DE, Germany 13/Jul/2025:08:06:07 /open-source/performance-tuning/tcp.html?s=mc
88.203.186.24 BG, Bulgaria 13/Jul/2025:08:06:04 /cybersecurity/
5.135.138.119 FR, France 13/Jul/2025:08:05:56 /
176.9.62.110 DE, Germany 13/Jul/2025:08:05:48 /open-source/kmail-to-thunderbird.html
64.23.175.205 US, United States 13/Jul/2025:08:05:38 /
104.163.156.230 CA, Canada 13/Jul/2025:08:05:23 /
17.241.75.227 US, United States 13/Jul/2025:08:05:22 /cybersecurity/isc2-ccsp/
100.29.130.36 US, United States 13/Jul/2025:08:05:20 /open-source/pdf-not-authorized.html
86.103.32.140 DE, Germany 13/Jul/2025:08:05:20 /open-source/performance-tuning/tcp.html?s=mc
213.152.162.170 NL, Netherlands 13/Jul/2025:08:05:07 /
152.53.17.226 US, United States 13/Jul/2025:08:05:06 /open-source/performance-tuning/tcp.html?s=mc
62.78.170.21 FI, Finland 13/Jul/2025:08:05:05 /
158.178.142.106 GB, United Kingdom 13/Jul/2025:08:05:03 /open-source/performance-tuning/tcp.html?s=mc
49.12.190.69 IN, India 13/Jul/2025:08:05:02 /
38.40.2.176 US, United States 13/Jul/2025:08:04:55 /open-source/performance-tuning/tcp.html?s=mc
73.72.253.9 US, United States 13/Jul/2025:08:04:54 /
144.6.168.79 AU, Australia 13/Jul/2025:08:04:52 /
65.108.197.116 US, United States 13/Jul/2025:08:04:52 /
45.13.7.85 Unknown 13/Jul/2025:08:04:48 /
101.33.80.42 CN, China 13/Jul/2025:08:04:47 /cybersecurity/software.html
81.187.158.77 GB, United Kingdom 13/Jul/2025:08:04:40 /open-source/kmail-to-thunderbird.html
52.167.144.214 US, United States 13/Jul/2025:08:04:35 /travel/greece/orthodox-shrines.html?s=mc
37.205.15.177 CZ, Czech Republic 13/Jul/2025:08:04:35 /
216.73.216.1 US, United States 13/Jul/2025:08:04:30 /open-source/ipv6-comcast-surfboard.html
216.73.216.1 US, United States 13/Jul/2025:08:04:30 /robots.txt
97.106.24.119 US, United States 13/Jul/2025:08:04:18 /
81.187.213.114 GB, United Kingdom 13/Jul/2025:08:04:15 /
51.222.253.16 FR, France 13/Jul/2025:08:04:13 /
43.155.157.239 JP, Japan 13/Jul/2025:08:04:13 /travel/usa/new-york-fictional-architecture/greenwich-village.html
205.185.116.26 US, United States 13/Jul/2025:08:04:08 /
188.239.191.25 CZ, Czech Republic 13/Jul/2025:08:03:43 /
66.148.120.148 US, United States 13/Jul/2025:08:03:38 /open-source/python-social-media-automation/?s=mc
115.234.109.15 CN, China 13/Jul/2025:08:03:37 /cybersecurity/attack-study/200.213.105.90-i192-list.html
195.154.100.87 FR, France 13/Jul/2025:08:03:35 /
71.246.109.155 US, United States 13/Jul/2025:08:03:30 /
74.70.92.106 US, United States 13/Jul/2025:08:03:29 /open-source/python-social-media-automation/?s=mc
57.128.119.15 BE, Belgium 13/Jul/2025:08:03:22 /
89.117.150.132 LT, Lithuania 13/Jul/2025:08:03:18 /
213.239.231.118 DE, Germany 13/Jul/2025:08:02:36 /open-source/python-social-media-automation/?s=mc
43.131.23.154 JP, Japan 13/Jul/2025:08:02:33 /cybersecurity/mobile-phone-security/
108.90.170.17 US, United States 13/Jul/2025:08:02:27 /
80.221.119.8 FI, Finland 13/Jul/2025:08:02:08 /open-source/performance-tuning/tcp.html?s=mc
217.58.122.215 IT, Italy 13/Jul/2025:08:02:05 /
20.25.151.235 US, United States 13/Jul/2025:08:01:57 /open-source/rhel-oracle-centos-6-7-8-9/storage.html
18.97.9.101 US, United States 13/Jul/2025:08:01:54 /travel/syria/logistics.html
47.242.153.15 US, United States 13/Jul/2025:08:01:48 /robots.txt
52.255.111.4 US, United States 13/Jul/2025:08:01:39 /
83.138.55.178 RU, Russian Federation 13/Jul/2025:08:01:39 /open-source/python-social-media-automation/?s=mc
88.97.52.255 GB, United Kingdom 13/Jul/2025:08:01:36 /open-source/performance-tuning/tcp.html?s=mc
173.231.63.134 US, United States 13/Jul/2025:08:01:32 /
91.151.16.101 DE, Germany 13/Jul/2025:08:01:24 /open-source/python-social-media-automation/?s=mc
64.185.234.194 US, United States 13/Jul/2025:08:01:21 /open-source/python-social-media-automation/?s=mc
78.46.70.104 DE, Germany 13/Jul/2025:08:01:18 /open-source/performance-tuning/tcp.html?s=mc
78.46.70.104 DE, Germany 13/Jul/2025:08:01:18 /open-source/performance-tuning/tcp.html?s=mc
172.105.103.112 US, United States 13/Jul/2025:08:01:17 /
116.202.168.100 IN, India 13/Jul/2025:08:01:15 /
195.201.111.25 DE, Germany 13/Jul/2025:08:01:14 /open-source/python-social-media-automation/?s=mc
68.252.16.184 US, United States 13/Jul/2025:08:01:13 /open-source/python-social-media-automation/?s=mc
141.95.205.41 GB, United Kingdom 13/Jul/2025:08:01:13 /
72.14.199.100 US, United States 13/Jul/2025:08:01:10 /open-source/python-social-media-automation/?s=mb
13.222.54.194 US, United States 13/Jul/2025:08:01:10 /ads.txt
40.77.167.0 US, United States 13/Jul/2025:08:01:04 /open-source/kodi/
143.244.177.66 US, United States 13/Jul/2025:08:01:04 /open-source/python-social-media-automation/?s=mc
97.106.24.119 US, United States 13/Jul/2025:08:01:04 /open-source/python-social-media-automation/?s=mc

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

Geolocate IP

You can use a service such as Abstract's IP geolocation to check if the conversion was successful, or if the client IP address is the exit portal of a VPN.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages