Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

34.205.93.2 US, United States 23/Sep/2020:14:46:35 /robots.txt
86.82.15.251 NL, Netherlands 23/Sep/2020:14:46:26 /
159.215.251.39 FR, France 23/Sep/2020:14:46:23 /open-source/lvm-rescue-boot.html
193.106.242.79 RU, Russian Federation 23/Sep/2020:14:46:00 /open-source/keyboard-mouse.html
193.106.242.79 RU, Russian Federation 23/Sep/2020:14:45:59 /open-source/
185.191.171.1 MD, Moldova, Republic of 23/Sep/2020:14:45:32 /travel/france/marseille/coast-road.html
185.191.171.18 MD, Moldova, Republic of 23/Sep/2020:14:45:32 /robots.txt
3.235.55.188 US, United States 23/Sep/2020:14:45:13 /travel/usa/new-york-st-marks-place/
148.72.152.238 US, United States 23/Sep/2020:14:45:13 /open-source/performance-tuning/file-systems.html
46.222.169.210 ES, Spain 23/Sep/2020:14:45:09 /travel/usa/new-york-st-marks-place/
98.156.139.28 US, United States 23/Sep/2020:14:45:05 /travel/france/normandy/brecourt-manor.html
67.160.214.10 US, United States 23/Sep/2020:14:45:04 /open-source/performance-tuning/file-systems.html
213.205.82.126 PT, Portugal 23/Sep/2020:14:44:50 /travel/usa/new-york-phone-booths/
94.130.167.120 DE, Germany 23/Sep/2020:14:44:41 /travel/uk/scotland-isle-of-iona/iona.html?s=tb
66.249.66.63 US, United States 23/Sep/2020:14:44:34 /travel/usa/us-wash-masonic.html
50.254.133.121 US, United States 23/Sep/2020:14:44:06 /travel/uk/scotland-isle-of-iona/iona.html?s=tb
199.16.157.180 US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb
17.58.100.82 US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb
199.59.150.180 US, United States 23/Sep/2020:14:44:01 /travel/uk/scotland-isle-of-iona/iona.html?s=tb
213.205.82.126 PT, Portugal 23/Sep/2020:14:43:56 /travel/usa/new-york-phone-booths/
66.249.92.37 US, United States 23/Sep/2020:14:43:40 /cybersecurity/privacy-policy.html
34.123.115.50 US, United States 23/Sep/2020:14:43:35 /ads.txt
80.69.45.206 DE, Germany 23/Sep/2020:14:43:17 /open-source/performance-tuning/ethernet.html
54.85.97.142 US, United States 23/Sep/2020:14:42:39 /cybersecurity/isc2-ccsp/
119.81.99.165 SG, Singapore 23/Sep/2020:14:42:36 /ads.txt
199.166.0.106 US, United States 23/Sep/2020:14:42:23 /open-source/xsane-invalid-argument.html
80.69.45.206 DE, Germany 23/Sep/2020:14:42:22 /open-source/performance-tuning/ethernet.html
157.45.78.36 IN, India 23/Sep/2020:14:42:09 /open-source/openbsd-qemu-windows-howto.html
45.79.161.118 US, United States 23/Sep/2020:14:42:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb
45.79.161.118 US, United States 23/Sep/2020:14:42:01 /robots.txt
15.236.143.36 US, United States 23/Sep/2020:14:41:43 /cybersecurity/isc2-ccsp/
98.156.139.28 US, United States 23/Sep/2020:14:41:20 /travel/france/normandy/brecourt-manor.html
80.69.45.206 DE, Germany 23/Sep/2020:14:41:17 /open-source/performance-tuning/ethernet.html
54.36.148.138 FR, France 23/Sep/2020:14:41:11 /cybersecurity/cyberwar/kyrgyzstan.html
74.206.143.58 CA, Canada 23/Sep/2020:14:40:57 /open-source/xsane-invalid-argument.html
99.240.136.47 CA, Canada 23/Sep/2020:14:40:56 /travel/france/avignon/corrupt-popes.html
74.64.143.201 US, United States 23/Sep/2020:14:40:47 /travel/usa/new-york-fictional-architecture/upper-west-side.html
42.236.49.21 CN, China 23/Sep/2020:14:40:46 /
42.236.49.21 CN, China 23/Sep/2020:14:40:42 /
54.36.148.157 FR, France 23/Sep/2020:14:40:28 /open-source/raspberry-pi/networking.html
38.143.100.13 US, United States 23/Sep/2020:14:40:18 /
80.69.45.206 DE, Germany 23/Sep/2020:14:40:17 /open-source/performance-tuning/ethernet.html
157.55.39.7 US, United States 23/Sep/2020:14:40:01 /travel/france/thomas-jefferson/
94.130.167.94 DE, Germany 23/Sep/2020:14:39:46 /travel/japan/kofun/empress-hibasuhime.html?s=tb
94.130.167.94 DE, Germany 23/Sep/2020:14:39:46 /robots.txt
80.69.45.206 DE, Germany 23/Sep/2020:14:39:17 /open-source/performance-tuning/ethernet.html
40.77.167.50 US, United States 23/Sep/2020:14:39:17 /technical/bios.html
212.252.119.37 TR, Turkey 23/Sep/2020:14:39:08 /technical/html4-or-xhtml-to-html5.html
198.27.82.205 CA, Canada 23/Sep/2020:14:39:08 /travel/japan/kofun/empress-hibasuhime.html?s=tb
17.58.100.82 US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb
199.59.150.181 US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb
199.59.150.183 US, United States 23/Sep/2020:14:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb
84.104.238.23 NL, Netherlands 23/Sep/2020:14:38:45 /open-source/performance-tuning/tcp.html
84.104.238.23 NL, Netherlands 23/Sep/2020:14:38:45 /open-source/performance-tuning/tcp.html
84.104.238.23 NL, Netherlands 23/Sep/2020:14:38:44 /open-source/performance-tuning/disks.html
116.206.137.46 MM, Myanmar 23/Sep/2020:14:38:42 /open-source/linux-amd-radeon-gpu/
207.46.13.247 US, United States 23/Sep/2020:14:38:39 /radio/tv-antenna.html?s=tb
84.104.238.23 NL, Netherlands 23/Sep/2020:14:38:36 /open-source/performance-tuning/
80.69.45.206 DE, Germany 23/Sep/2020:14:38:17 /open-source/performance-tuning/ethernet.html
66.249.66.34 US, United States 23/Sep/2020:14:37:52 /travel/turkey/hatusas/
80.69.45.206 DE, Germany 23/Sep/2020:14:37:25 /open-source/performance-tuning/ethernet.html
66.249.66.63 US, United States 23/Sep/2020:14:37:23 /robots.txt
66.249.66.37 US, United States 23/Sep/2020:14:37:22 /turkish/word-order.html
98.156.139.28 US, United States 23/Sep/2020:14:37:02 /travel/france/normandy/brecourt-manor.html
174.23.46.137 US, United States 23/Sep/2020:14:36:55 /technical/dsl/
104.154.186.69 US, United States 23/Sep/2020:14:36:48 /travel/usa/new-york-fictional-architecture/upper-west-side.html
84.104.238.23 NL, Netherlands 23/Sep/2020:14:36:43 /open-source/performance-tuning/file-systems.html
104.162.77.26 US, United States 23/Sep/2020:14:36:19 /travel/usa/new-york-revolutionary/
86.174.90.195 GB, United Kingdom 23/Sep/2020:14:36:03 /travel/france/provence-megaliths/
80.69.45.206 DE, Germany 23/Sep/2020:14:35:31 /open-source/performance-tuning/ethernet.html
54.36.148.138 FR, France 23/Sep/2020:14:35:20 /radio/internet-radio.html
172.8.169.115 US, United States 23/Sep/2020:14:35:16 /networking/commands.html
17.58.100.82 US, United States 23/Sep/2020:14:35:14 /3d/extrema.html
66.249.66.34 US, United States 23/Sep/2020:14:34:54 /travel/greece/delos.html
67.207.169.237 US, United States 23/Sep/2020:14:34:24 /open-source/samba-active-directory/
193.28.37.160 Unknown 23/Sep/2020:14:34:22 /travel/france/coulee-verte/
82.46.151.72 GB, United Kingdom 23/Sep/2020:14:34:17 /open-source/nginx-tls-1.3/running-tls-1.3.html
80.69.45.206 DE, Germany 23/Sep/2020:14:34:16 /open-source/performance-tuning/ethernet.html
18.233.194.247 US, United States 23/Sep/2020:14:34:05 /robots.txt
171.240.151.160 VN, Vietnam 23/Sep/2020:14:33:26 /open-source/performance-tuning/nfs.html
171.240.151.160 VN, Vietnam 23/Sep/2020:14:33:26 /robots.txt
80.69.45.206 DE, Germany 23/Sep/2020:14:33:16 /open-source/performance-tuning/ethernet.html
174.99.101.255 US, United States 23/Sep/2020:14:32:57 /open-source/sendmail-ssl.html
173.66.122.214 US, United States 23/Sep/2020:14:32:26 /turkish/verbs.html
78.1.67.20 HR, Croatia 23/Sep/2020:14:32:19 /open-source/build-packages.html
80.69.45.206 DE, Germany 23/Sep/2020:14:32:17 /open-source/performance-tuning/ethernet.html
192.16.250.131 CA, Canada 23/Sep/2020:14:31:44 /open-source/rhel-centos-5-6-7-8/
35.227.62.178 US, United States 23/Sep/2020:14:31:43 /open-source/openbsd-qemu-windows-howto.html
82.1.58.145 GB, United Kingdom 23/Sep/2020:14:31:42 /open-source/raspberry-pi/sdr-getting-started.html
80.69.45.206 DE, Germany 23/Sep/2020:14:31:16 /open-source/performance-tuning/ethernet.html
54.240.197.226 IE, Ireland 23/Sep/2020:14:31:10 /open-source/performance-tuning/tcp.html
212.51.150.144 CH, Switzerland 23/Sep/2020:14:30:50 /open-source/openbsd-wireless-wpa2.html
18.212.142.240 US, United States 23/Sep/2020:14:30:38 /cybersecurity/isc2-cissp/
80.69.45.206 DE, Germany 23/Sep/2020:14:30:19 /open-source/performance-tuning/ethernet.html
66.249.66.38 US, United States 23/Sep/2020:14:30:11 /cybersecurity/intrusion.html
38.143.100.13 US, United States 23/Sep/2020:14:29:45 /cybersecurity/isc2-cissp/
156.68.220.138 US, United States 23/Sep/2020:14:29:44 /open-source/migrate-rhel-to-centos.html
54.36.148.180 FR, France 23/Sep/2020:14:29:33 /fun/santaism.html
3.237.71.23 US, United States 23/Sep/2020:14:29:28 /radio/fort-tuthill.html
3.237.71.23 US, United States 23/Sep/2020:14:29:27 /robots.txt
80.69.45.206 DE, Germany 23/Sep/2020:14:29:18 /open-source/performance-tuning/ethernet.html
137.254.7.164 US, United States 23/Sep/2020:14:28:32 /open-source/linux-break-in-howto.html
80.69.45.206 DE, Germany 23/Sep/2020:14:28:16 /open-source/performance-tuning/ethernet.html
3.223.183.74 US, United States 23/Sep/2020:14:28:06 /open-source/openbsd-qemu-windows-howto.html
54.197.222.220 US, United States 23/Sep/2020:14:28:04 /ads.txt
54.197.222.220 US, United States 23/Sep/2020:14:28:04 /robots.txt
98.11.255.28 US, United States 23/Sep/2020:14:28:02 /open-source/openbsd-qemu-windows-howto.html
185.27.182.30 DE, Germany 23/Sep/2020:14:27:50 /open-source/performance-tuning/ethernet.html
199.166.0.120 US, United States 23/Sep/2020:14:27:48 /travel/italy/paestum/
80.69.45.206 DE, Germany 23/Sep/2020:14:27:22 /open-source/performance-tuning/ethernet.html
54.164.31.157 US, United States 23/Sep/2020:14:27:05 /technical/dsl/
80.69.45.206 DE, Germany 23/Sep/2020:14:26:19 /open-source/performance-tuning/ethernet.html
98.156.139.28 US, United States 23/Sep/2020:14:26:08 /travel/france/normandy/brecourt-manor.html
185.191.171.5 MD, Moldova, Republic of 23/Sep/2020:14:25:32 /travel/belgium/bastogne-ardennes/bastogne.html
54.36.148.189 FR, France 23/Sep/2020:14:25:31 /travel/bulgaria/food/
80.69.45.206 DE, Germany 23/Sep/2020:14:25:26 /open-source/performance-tuning/ethernet.html
40.77.167.50 US, United States 23/Sep/2020:14:25:14 /travel/turkey/mountain-trek/?s=tb
35.196.166.114 US, United States 23/Sep/2020:14:25:13 /open-source/
67.244.64.5 US, United States 23/Sep/2020:14:25:12 /travel/usa/new-york-phone-booths/
80.69.45.206 DE, Germany 23/Sep/2020:14:24:18 /open-source/performance-tuning/ethernet.html
35.196.166.114 US, United States 23/Sep/2020:14:24:15 /open-source/google-freebsd-tls/apache-http2-php.html
54.36.148.245 FR, France 23/Sep/2020:14:24:08 /travel/belgium/belgian-beers/mappa-mundo.html
107.77.209.181 US, United States 23/Sep/2020:14:23:52 /technical/dsl/
80.69.45.206 DE, Germany 23/Sep/2020:14:23:25 /open-source/performance-tuning/ethernet.html
52.23.181.33 US, United States 23/Sep/2020:14:23:19 /open-source/sendmail-ssl.html
66.249.66.34 US, United States 23/Sep/2020:14:22:58 /travel/japan/kofun/Index.html
200.152.98.200 BR, Brazil 23/Sep/2020:14:22:33 /open-source/samba-active-directory/
80.69.45.206 DE, Germany 23/Sep/2020:14:22:17 /open-source/performance-tuning/ethernet.html
174.23.27.87 US, United States 23/Sep/2020:14:22:10 /open-source/rhel-centos-5-6-7-8/
157.55.39.181 US, United States 23/Sep/2020:14:22:00 /travel/usa/north-carolina/
3.82.59.57 US, United States 23/Sep/2020:14:21:19 /cybersecurity/isc2-cissp/
80.69.45.206 DE, Germany 23/Sep/2020:14:21:15 /open-source/performance-tuning/ethernet.html
147.92.153.16 JP, Japan 23/Sep/2020:14:21:10 /travel/russia/before-and-after.html
107.77.231.115 US, United States 23/Sep/2020:14:21:00 /technical/dsl/
40.77.167.27 US, United States 23/Sep/2020:14:20:44 /travel/france/normandy/reenactors.html
216.163.176.52 US, United States 23/Sep/2020:14:20:21 /cybersecurity/physical.html
80.69.45.206 DE, Germany 23/Sep/2020:14:20:20 /open-source/performance-tuning/ethernet.html
96.247.138.213 US, United States 23/Sep/2020:14:20:07 /technical/dsl/
35.196.166.114 US, United States 23/Sep/2020:14:20:03 /3d/xray/
66.249.66.63 US, United States 23/Sep/2020:14:19:51 /brewing/brewing-references.html
40.77.167.27 US, United States 23/Sep/2020:14:19:23 /travel/japan/nikko/takino-shrine-path.html?s=tb
91.240.109.1 FR, France 23/Sep/2020:14:19:17 /
54.36.148.138 FR, France 23/Sep/2020:14:18:32 /travel/syria/hamah.html
54.164.31.157 US, United States 23/Sep/2020:14:18:25 /open-source/sendmail-ssl.html
185.191.171.19 MD, Moldova, Republic of 23/Sep/2020:14:18:22 /technical/current-box.html
172.97.98.42 US, United States 23/Sep/2020:14:18:17 /open-source/stig-compliance.html
66.249.66.34 US, United States 23/Sep/2020:14:17:35 /travel/bulgaria/veliko-tarnovo/
35.196.166.114 US, United States 23/Sep/2020:14:17:28 /open-source/nginx-tls-1.3/
54.224.25.142 US, United States 23/Sep/2020:14:17:00 /open-source/sendmail-ssl.html
200.152.98.200 BR, Brazil 23/Sep/2020:14:16:54 /open-source/samba-active-directory/
93.158.161.51 RU, Russian Federation 23/Sep/2020:14:16:38 /travel/france/saint-denis/
93.158.161.51 RU, Russian Federation 23/Sep/2020:14:16:37 /travel/france/saint-denis/Index.html
66.249.66.34 US, United States 23/Sep/2020:14:16:30 /open-source/windows-xp-with-office-2007.html
34.244.174.21 IE, Ireland 23/Sep/2020:14:16:22 /travel/france/school-lunch-menus/
34.244.174.21 IE, Ireland 23/Sep/2020:14:16:22 /turkish/
34.244.174.21 IE, Ireland 23/Sep/2020:14:16:21 /radio/power-meter.html
37.187.162.192 FR, France 23/Sep/2020:14:16:07 /travel/france/avignon/avignon-papacy.html?s=tb
37.187.162.165 FR, France 23/Sep/2020:14:16:06 /travel/italy/napoli/?s=tb
37.187.162.126 FR, France 23/Sep/2020:14:16:04 /travel/japan/kofun/empress-iwa-no-hime.html?s=tb
37.187.162.192 FR, France 23/Sep/2020:14:16:04 /travel/japan/kofun/saki-gouran.html?s=tb
37.187.162.183 FR, France 23/Sep/2020:14:16:03 /travel/greece/mykonos.html?s=tb
5.80.31.150 GB, United Kingdom 23/Sep/2020:14:16:00 /travel/france/coulee-verte/

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages