Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

3.215.182.81 US, United States 01/Apr/2020:16:22:49 /robots.txt
190.161.107.253 CL, Chile 01/Apr/2020:16:21:38 /travel/chile/santiago/?s=tb
45.19.108.252 US, United States 01/Apr/2020:16:21:29 /open-source/openbsd-qemu-windows-howto.html
77.88.5.157 RU, Russian Federation 01/Apr/2020:16:21:04 /cybersecurity/monitoring.html
199.16.157.183 US, United States 01/Apr/2020:16:20:46 /travel/latvia/?s=tb
199.16.157.181 US, United States 01/Apr/2020:16:20:46 /travel/greece/greek-islands.html?s=tb
77.77.216.209 BA, Bosnia and Herzegovina 01/Apr/2020:16:20:08 /technical/ata-ide-sata-usb-cable-pinouts.html
54.36.148.134 FR, France 01/Apr/2020:16:20:07 /text/reports/5great.4.txt
114.119.163.6 CN, China 01/Apr/2020:16:20:00 /robots.txt
87.117.55.165 RU, Russian Federation 01/Apr/2020:16:19:52 /open-source/rpm-patch.html
66.249.79.238 US, United States 01/Apr/2020:16:19:47 /travel/greece/ferries.html
35.187.132.163 US, United States 01/Apr/2020:16:18:18 /travel/japan/kofun/empress-koken.html?s=tb
76.248.86.118 US, United States 01/Apr/2020:16:18:09 /travel/france/school-lunch-menus/
80.108.113.132 AT, Austria 01/Apr/2020:16:18:01 /open-source/openbsd-qemu-windows-howto.html
148.64.56.114 GB, United Kingdom 01/Apr/2020:16:17:52 /radio/ic-3220.html
68.4.251.71 US, United States 01/Apr/2020:16:17:39 /open-source/raspberry-pi/openvas.html
66.249.79.174 US, United States 01/Apr/2020:16:17:16 /travel/uk/scotland-grit-boxes/
108.44.201.13 US, United States 01/Apr/2020:16:16:43 /open-source/stig-compliance.html
14.192.214.55 MY, Malaysia 01/Apr/2020:16:16:31 /technical/convert-youtube-to-xvid.html
23.114.120.64 US, United States 01/Apr/2020:16:16:29 /travel/usa/new-york-mcgees/
23.114.120.64 US, United States 01/Apr/2020:16:16:23 /travel/usa/new-york-mcgees/
77.88.5.157 RU, Russian Federation 01/Apr/2020:16:16:22 /travel/canada/canada-vs-us/?s=tweetbot
66.249.79.240 US, United States 01/Apr/2020:16:16:13 /travel/france/boat/
68.57.194.24 US, United States 01/Apr/2020:16:16:13 /open-source/pdf-not-authorized.html
147.92.111.200 US, United States 01/Apr/2020:16:16:09 /turkish/nouns.html
54.229.246.235 IE, Ireland 01/Apr/2020:16:15:45 /travel/poland/?s=tb
194.29.32.129 IL, Israel 01/Apr/2020:16:15:13 /travel/japan/kofun/empress-koken.html?s=tb
194.29.32.129 IL, Israel 01/Apr/2020:16:15:12 /travel/japan/kofun/empress-koken.html?s=tb
95.183.3.17 US, United States 01/Apr/2020:16:14:58 /ads.txt
14.192.214.55 MY, Malaysia 01/Apr/2020:16:14:08 /technical/convert-youtube-to-xvid.html
174.55.176.78 US, United States 01/Apr/2020:16:14:05 /open-source/tar-and-ssh.html
66.249.79.238 US, United States 01/Apr/2020:16:14:04 /open-source/linux-kernel.html
77.88.5.157 RU, Russian Federation 01/Apr/2020:16:13:53 /open-source/ssh-3-user.html
54.211.167.138 US, United States 01/Apr/2020:16:13:45 /
107.77.237.171 US, United States 01/Apr/2020:16:13:32 /technical/dsl/
97.127.237.198 US, United States 01/Apr/2020:16:12:56 /technical/dsl/
93.142.91.138 HR, Croatia 01/Apr/2020:16:12:06 /turkish/verbs.html
141.193.221.33 ES, Spain 01/Apr/2020:16:12:06 /radio/hf-short-dipoles.html
75.163.213.70 US, United States 01/Apr/2020:16:11:35 /radio/tv-antenna.html
3.85.242.83 US, United States 01/Apr/2020:16:11:29 /radio/ic-3220.html
3.88.25.162 US, United States 01/Apr/2020:16:11:24 /radio/ic-3220.html
3.88.25.162 US, United States 01/Apr/2020:16:11:24 /robots.txt
2.134.75.143 KZ, Kazakhstan 01/Apr/2020:16:11:23 /turkish/turkish-nouns.pdf
161.11.133.16 US, United States 01/Apr/2020:16:11:20 /radio/ic-3220.html
2.134.75.143 KZ, Kazakhstan 01/Apr/2020:16:11:18 /turkish/nouns.html
122.150.212.238 AU, Australia 01/Apr/2020:16:11:10 /travel/japan/tokyo-harajuku/omotesando.html?s=tb
122.150.212.238 AU, Australia 01/Apr/2020:16:11:10 /travel/japan/tokyo-harajuku/omotesando.html?s=tb
2.134.75.143 KZ, Kazakhstan 01/Apr/2020:16:11:03 /turkish/orthography.html
2.134.75.143 KZ, Kazakhstan 01/Apr/2020:16:10:47 /turkish/background.html
66.249.79.238 US, United States 01/Apr/2020:16:10:46 /site-map.html
192.151.178.180 CA, Canada 01/Apr/2020:16:10:32 /technical/dsl/
140.194.140.55 US, United States 01/Apr/2020:16:10:24 /radio/probes.html
34.236.13.164 US, United States 01/Apr/2020:16:10:16 /travel/japan/kofun/empress-koken.html?s=tb
116.202.35.86 IN, India 01/Apr/2020:16:10:00 /travel/japan/kofun/empress-koken.html?s=tb
37.187.165.195 FR, France 01/Apr/2020:16:09:52 /travel/japan/kofun/empress-koken.html?s=tb
50.254.133.121 US, United States 01/Apr/2020:16:09:10 /travel/japan/kofun/empress-koken.html?s=tb
17.58.101.13 US, United States 01/Apr/2020:16:09:10 /travel/japan/kofun/empress-koken.html?s=tb
107.178.200.174 US, United States 01/Apr/2020:16:09:06 /travel/japan/kofun/empress-koken.html?s=tb
192.99.44.57 CA, Canada 01/Apr/2020:16:09:04 /travel/japan/kofun/empress-koken.html?s=tb
192.99.47.125 CA, Canada 01/Apr/2020:16:09:04 /travel/japan/kofun/empress-koken.html?s=tb
17.58.101.13 US, United States 01/Apr/2020:16:09:01 /travel/japan/kofun/empress-koken.html?s=tb
199.59.150.181 US, United States 01/Apr/2020:16:09:00 /travel/japan/kofun/empress-koken.html?s=tb
66.249.79.240 US, United States 01/Apr/2020:16:08:21 /3d/histogram/
85.10.207.195 DE, Germany 01/Apr/2020:16:08:04 /cybersecurity/basics/Index.html
85.10.207.195 DE, Germany 01/Apr/2020:16:08:02 /robots.txt
46.229.168.142 US, United States 01/Apr/2020:16:07:52 /open-source/compiling-opencv-on-openbsd.html
54.236.1.12 US, United States 01/Apr/2020:16:07:18 /travel/usa/montgomery-alabama/
82.132.237.185 GB, United Kingdom 01/Apr/2020:16:07:18 /technical/dsl/
213.205.200.54 GB, United Kingdom 01/Apr/2020:16:07:07 /technical/bios.html
99.72.225.233 US, United States 01/Apr/2020:16:07:05 /travel/uk/swingate-chain-home/
54.36.149.219 FR, France 01/Apr/2020:16:07:01 /travel/france/boat/maintenance.html
76.22.119.73 US, United States 01/Apr/2020:16:06:47 /travel/japan/katakana-hiragana/
128.179.254.21 CH, Switzerland 01/Apr/2020:16:06:44 /open-source/pdf-not-authorized.html
66.102.8.179 US, United States 01/Apr/2020:16:06:31 /turkish/nouns.html
54.147.105.31 US, United States 01/Apr/2020:16:05:55 /travel/france/normandy/utah-beach.html
68.114.100.208 US, United States 01/Apr/2020:16:05:42 /travel/france/normandy/utah-beach.html
90.37.194.113 FR, France 01/Apr/2020:16:05:36 /open-source/pdf-not-authorized.html
114.119.165.147 CN, China 01/Apr/2020:16:05:31 /technical/dsl/Index.html
77.88.5.157 RU, Russian Federation 01/Apr/2020:16:04:58 /3d/histogram/
195.176.112.47 CH, Switzerland 01/Apr/2020:16:04:43 /3d/histogram/
40.77.167.94 US, United States 01/Apr/2020:16:04:13 /cybersecurity/stack-hardening.html?ref=driverlayer.com
173.252.79.6 US, United States 01/Apr/2020:16:03:43 /technical/dsl/
17.58.101.13 US, United States 01/Apr/2020:16:03:28 /open-source/microphone.html
18.206.97.13 US, United States 01/Apr/2020:16:02:50 /open-source/rhel-centos-5-6-7-8/users-groups.html
66.249.79.238 US, United States 01/Apr/2020:16:02:38 /travel/france/etretat-fecamp/
199.209.144.5 US, United States 01/Apr/2020:16:02:36 /open-source/rhel-centos-5-6-7-8/users-groups.html
211.26.108.4 AU, Australia 01/Apr/2020:16:02:25 /fun/fingerbox/
104.56.59.129 US, United States 01/Apr/2020:16:01:43 /technical/dsl/
17.58.101.13 US, United States 01/Apr/2020:16:01:32 /3d/trilobite.html
217.196.90.142 AT, Austria 01/Apr/2020:16:00:23 /open-source/migrate-rhel-to-centos.html
173.239.197.210 US, United States 01/Apr/2020:15:59:53 /open-source/crashdumps.html
82.27.182.43 GB, United Kingdom 01/Apr/2020:15:59:48 /cybersecurity/backdoors.html
46.229.168.137 US, United States 01/Apr/2020:15:59:40 /open-source/linux-break-in-howto.html
46.139.3.141 HU, Hungary 01/Apr/2020:15:59:21 /travel/italy/driving.html
77.75.79.36 CZ, Czech Republic 01/Apr/2020:15:59:09 /robots.txt
46.229.168.135 US, United States 01/Apr/2020:15:59:02 /open-source/rpm-patch.html
46.229.168.152 US, United States 01/Apr/2020:15:59:00 /robots.txt
46.229.168.139 US, United States 01/Apr/2020:15:58:59 /robots.txt
114.119.161.105 CN, China 01/Apr/2020:15:58:56 /cybersecurity/pki-failures.html
85.115.60.201 FR, France 01/Apr/2020:15:58:55 /
213.205.200.54 GB, United Kingdom 01/Apr/2020:15:58:40 /technical/bios.html
94.23.61.181 FR, France 01/Apr/2020:15:58:29 /radio/tek2445a.html
66.249.79.238 US, United States 01/Apr/2020:15:58:13 /travel/france/boat/
46.229.168.130 US, United States 01/Apr/2020:15:57:53 /travel/usa/new-york-st-marks-place/1st-a-south.html
208.157.183.80 US, United States 01/Apr/2020:15:57:47 /travel/usa/us-wash-masonic.html
81.243.136.135 BE, Belgium 01/Apr/2020:15:57:34 /open-source/linux-kernel-details.html
93.216.74.1 DE, Germany 01/Apr/2020:15:57:09 /open-source/samba-active-directory/deployment.html
66.249.79.238 US, United States 01/Apr/2020:15:56:55 /radio/tv-antenna.html
77.111.247.106 EU, Europe 01/Apr/2020:15:56:48 /open-source/samba-active-directory/freebsd-raspberry-pi.html
14.240.77.89 VN, Vietnam 01/Apr/2020:15:56:47 /radio/probes.html
149.154.161.1 GB, United Kingdom 01/Apr/2020:15:56:44 /open-source/canon-pixma-printer-scanner.html
192.12.45.229 US, United States 01/Apr/2020:15:56:38 /technical/dsl/
3.94.53.126 US, United States 01/Apr/2020:15:55:22 /open-source/bluray.html
52.91.56.250 US, United States 01/Apr/2020:15:55:15 /networking/wan-specs.html
82.203.141.71 FI, Finland 01/Apr/2020:15:55:10 /open-source/pictures/Blu-ray_Disc.svg
165.214.11.89 US, United States 01/Apr/2020:15:55:10 /technical/dsl/
82.203.141.71 FI, Finland 01/Apr/2020:15:55:09 /open-source/bluray.html
18.206.156.184 US, United States 01/Apr/2020:15:55:06 /networking/wan-specs.html
72.21.217.99 US, United States 01/Apr/2020:15:55:05 /robots.txt
64.184.9.180 US, United States 01/Apr/2020:15:55:03 /networking/wan-specs.html
207.46.13.212 US, United States 01/Apr/2020:15:55:02 /travel/belgium/belgian-beers/delirium-tremens.html
130.180.193.249 PL, Poland 01/Apr/2020:15:54:48 /
174.250.65.175 US, United States 01/Apr/2020:15:54:36 /travel/usa/us-wash-masonic.html
92.39.138.110 RU, Russian Federation 01/Apr/2020:15:53:32 /open-source/tar-and-ssh.html
99.203.29.184 US, United States 01/Apr/2020:15:52:48 /open-source/vim-word-count.html
37.201.5.102 DE, Germany 01/Apr/2020:15:52:32 /technical/samsung-galaxy/linux.html
86.157.194.215 GB, United Kingdom 01/Apr/2020:15:52:28 /technical/hdmi.html
114.119.167.164 CN, China 01/Apr/2020:15:52:22 /cybersecurity/forensics.html
107.77.225.59 US, United States 01/Apr/2020:15:52:22 /technical/dsl/
54.172.6.165 US, United States 01/Apr/2020:15:52:03 /technical/hdmi.html
203.78.120.202 ID, Indonesia 01/Apr/2020:15:52:03 /technical/convert-youtube-to-xvid.html
46.229.168.135 US, United States 01/Apr/2020:15:51:57 /travel/usa/detroit/detroit-part2.html
3.214.209.95 US, United States 01/Apr/2020:15:51:51 /ads.txt
17.58.101.13 US, United States 01/Apr/2020:15:51:51 /russian/cyrillic.sty
86.157.194.215 GB, United Kingdom 01/Apr/2020:15:51:47 /technical/hdmi.html
90.197.128.181 GB, United Kingdom 01/Apr/2020:15:51:40 /turkish/word-order.html
66.249.79.240 US, United States 01/Apr/2020:15:51:13 /travel/uk/orkney-west-coast-walk/
67.162.124.176 US, United States 01/Apr/2020:15:50:56 /travel/france/aix-en-provence/
148.64.56.69 GB, United Kingdom 01/Apr/2020:15:50:29 /travel/france/aix-en-provence/
148.64.56.68 GB, United Kingdom 01/Apr/2020:15:50:28 /travel/france/aix-en-provence/
148.64.56.69 GB, United Kingdom 01/Apr/2020:15:50:28 /travel/france/aix-en-provence/
89.38.151.245 FR, France 01/Apr/2020:15:50:08 /travel/japan/shinto-buddhism/buddhism.html?s=tb
2.134.75.143 KZ, Kazakhstan 01/Apr/2020:15:49:41 /turkish/
195.176.112.47 CH, Switzerland 01/Apr/2020:15:49:32 /3d/histogram/
148.64.56.115 GB, United Kingdom 01/Apr/2020:15:49:20 /travel/chile/santiago/
148.64.56.126 GB, United Kingdom 01/Apr/2020:15:49:19 /travel/chile/santiago/
148.64.56.126 GB, United Kingdom 01/Apr/2020:15:49:18 /travel/chile/santiago/
91.64.20.166 DE, Germany 01/Apr/2020:15:48:58 /open-source/grub-vga-modes.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages