Rack of Ethernet switches.

Visualizing Log Patterns with Color

Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

197.211.61.8 18/Jun/2018:03:39:19 /open-source/multiboot-windows-openbsd/
54.81.71.219 18/Jun/2018:03:39:18 /cybersecurity/linux-hardening.html
202.1.179.23 18/Jun/2018:03:39:13 /radio/tv-antenna.html
54.81.71.219 18/Jun/2018:03:39:01 /travel/turkey/goreme/
54.88.17.122 18/Jun/2018:03:38:55 /travel/russia/sankt-peterburg.html
35.173.201.164 18/Jun/2018:03:38:52 /travel/russia/sankt-peterburg.html
68.107.120.142 18/Jun/2018:03:38:50 /travel/russia/sankt-peterburg.html
54.81.71.219 18/Jun/2018:03:38:44 /technical/
66.102.6.33 18/Jun/2018:03:38:38 /travel/belgium/bastogne-ardennes/background.html
54.81.71.219 18/Jun/2018:03:38:28 /travel/france/mont-saint-michel-saint-malo/mont-saint-michel.html
202.1.179.23 18/Jun/2018:03:38:17 /radio/tv-antenna.html
54.81.71.219 18/Jun/2018:03:38:11 /travel/egypt/sinai.html
157.55.39.211 18/Jun/2018:03:38:09 /open-source/linux-commands.html
54.81.71.219 18/Jun/2018:03:37:54 /3d/
54.81.71.219 18/Jun/2018:03:37:38 /3d/xray/
72.51.112.29 18/Jun/2018:03:37:29 /travel/uk/ben-nevis/
54.81.71.219 18/Jun/2018:03:37:22 /fun/
54.81.71.219 18/Jun/2018:03:37:05 /russian/
54.81.71.219 18/Jun/2018:03:36:49 /3d/morphometrics.html
54.36.148.34 18/Jun/2018:03:36:46 /cybersecurity/history/dl3g/Index.html
54.81.71.219 18/Jun/2018:03:36:30 /networking/wan-specs.html
207.46.13.18 18/Jun/2018:03:36:23 /travel/usa/new-york-sro-flophouses/shutdown.html
64.62.252.164 18/Jun/2018:03:36:18 /robots.txt
54.81.71.219 18/Jun/2018:03:36:15 /travel/greece/greek/lessons-001-005.html
34.207.142.133 18/Jun/2018:03:36:04 /travel/france/normandy/utah-beach-hike.html
71.239.44.160 18/Jun/2018:03:36:02 /travel/france/normandy/utah-beach-hike.html
180.76.15.145 18/Jun/2018:03:36:00 /radio/
54.81.71.219 18/Jun/2018:03:35:57 /travel/greece/trains.html
174.20.194.16 18/Jun/2018:03:35:40 /travel/france/normandy/omaha-beach.html
54.81.71.219 18/Jun/2018:03:35:39 /networking/routing.html
54.81.71.219 18/Jun/2018:03:35:20 /networking/switch-programming.html
180.76.15.147 18/Jun/2018:03:35:05 /robots.txt
54.81.71.219 18/Jun/2018:03:35:04 /3d/raytrace/spinner.html
180.76.15.8 18/Jun/2018:03:35:03 /oliver-cromwell/crom-fu-fighting.html
54.81.71.219 18/Jun/2018:03:34:47 /travel/greece/greek/lessons-011-015.html
54.81.71.219 18/Jun/2018:03:34:31 /travel/greece/meteora.html
54.81.71.219 18/Jun/2018:03:34:14 /3d/raytrace/fishray.html
174.237.8.228 18/Jun/2018:03:34:05 /radio/
54.81.71.219 18/Jun/2018:03:33:58 /travel/greece/delos.html
54.172.231.1 18/Jun/2018:03:33:45 /travel/athens-to-paris/sofia-veliko-tarnovo.html
54.81.71.219 18/Jun/2018:03:33:40 /turkish/orthography.html
54.88.17.122 18/Jun/2018:03:33:29 /travel/usa/new-york-st-marks-place/3rd-2nd-south.html
54.81.71.219 18/Jun/2018:03:33:24 /travel/greece/bus-travel.html
73.46.57.28 18/Jun/2018:03:33:24 /travel/usa/new-york-st-marks-place/3rd-2nd-south.html
72.14.199.119 18/Jun/2018:03:33:16 /travel/uk/glastonbury/king-arthur.html
154.20.136.144 18/Jun/2018:03:33:14 /travel/uk/glastonbury/king-arthur.html
54.81.71.219 18/Jun/2018:03:33:07 /travel/france/mont-saint-michel-saint-malo/Index.html
54.81.71.219 18/Jun/2018:03:32:51 /travel/greece/paros.html
54.81.71.219 18/Jun/2018:03:32:33 /turkish/nouns.html
54.81.71.219 18/Jun/2018:03:32:18 /travel/usa/new-york-st-marks-place/2nd-1st-north.html
54.172.231.1 18/Jun/2018:03:32:14 /cybersecurity/history/uss-chaumont/photos-other.html
54.81.71.219 18/Jun/2018:03:31:58 /fun/teaching/math-trouble.html
180.76.15.18 18/Jun/2018:03:31:53 /technical/search-engine-optimization-howto.html
54.81.71.219 18/Jun/2018:03:31:41 /open-source/google-freebsd-tls/apache-log-cache.html
66.102.8.151 18/Jun/2018:03:31:35 /turkish/verbs.html
54.81.71.219 18/Jun/2018:03:31:21 /turkish/Index.html
54.81.71.219 18/Jun/2018:03:31:04 /fun/brilliant-movie-ideas/robert-ludlum.html
54.81.71.219 18/Jun/2018:03:30:44 /travel/usa/new-york-internet/Index.html
207.46.13.18 18/Jun/2018:03:30:25 /travel/greece/trains.html
54.81.71.219 18/Jun/2018:03:30:25 /technical/ata-ide-sata-usb-cable-pinouts.html
157.55.39.77 18/Jun/2018:03:30:18 /turkish/word-order.html
54.81.71.219 18/Jun/2018:03:30:03 /travel/usa/montgomery-alabama/Index.html
54.81.71.219 18/Jun/2018:03:29:45 /fun/college.html
207.46.13.99 18/Jun/2018:03:29:29 /travel/turkey/ephesus/acts.html
54.81.71.219 18/Jun/2018:03:29:27 /travel/belgium/belgian-beers/a-la-becasse.html
24.127.94.54 18/Jun/2018:03:29:22 /turkish/turkish-suffixes.html
5.255.250.200 18/Jun/2018:03:29:21 /cybersecurity/crypto/hash.html
5.255.250.200 18/Jun/2018:03:29:19 /robots.txt
54.81.71.219 18/Jun/2018:03:29:10 /technical/convert-youtube-to-xvid.html
5.255.250.17 18/Jun/2018:03:28:59 /open-source/pictures/Akonadi-Logo.svg
54.81.71.219 18/Jun/2018:03:28:52 /open-source/file-system.html
72.14.199.121 18/Jun/2018:03:28:46 /russian/latex.html
123.63.87.185 18/Jun/2018:03:28:42 /russian/latex.html
54.81.71.219 18/Jun/2018:03:28:34 /open-source/qemu-unix.html
54.81.71.219 18/Jun/2018:03:28:15 /networking/cisco.html
5.255.250.17 18/Jun/2018:03:28:04 /travel/athens-to-paris/sighisoara-budapest.html
54.81.71.219 18/Jun/2018:03:27:56 /networking/wlan-specs.html
54.81.71.219 18/Jun/2018:03:27:36 /travel/turkey/trains/Index.html
217.165.99.123 18/Jun/2018:03:27:25 /
54.81.71.219 18/Jun/2018:03:27:18 /3d/sensor-design.html
5.255.250.17 18/Jun/2018:03:27:17 /travel/uk/scotland-grit-boxes/
54.81.71.219 18/Jun/2018:03:26:41 /fun/brilliant-movie-ideas/deja-viewed.html
54.81.71.219 18/Jun/2018:03:26:22 /travel/belgium/bastogne-ardennes/bastogne.html
54.81.71.219 18/Jun/2018:03:26:04 /open-source/ssh-1-admin.html
5.255.250.17 18/Jun/2018:03:26:00 /3d/xray/
54.81.71.219 18/Jun/2018:03:25:45 /cybersecurity/syslog-tls-cloud.html
5.255.250.17 18/Jun/2018:03:25:32 /open-source/samba-active-directory/summary.html
54.81.71.219 18/Jun/2018:03:25:28 /travel/china/hong-kong.html
5.255.250.17 18/Jun/2018:03:25:23 /cybersecurity/crypto/
5.255.250.17 18/Jun/2018:03:25:16 /travel/uk/bletchley-park/
54.36.148.35 18/Jun/2018:03:25:09 /travel/turkey/hatusas/
54.81.71.219 18/Jun/2018:03:25:08 /cybersecurity/attack-study/200.213.105.90-i192-list.html
190.204.154.53 18/Jun/2018:03:24:54 /travel/trinidad/port-of-spain.html
54.81.71.219 18/Jun/2018:03:24:50 /travel/uk/dover/Index.html
5.255.250.17 18/Jun/2018:03:24:29 /travel/france/mont-saint-michel-saint-malo/mont-saint-michel.html
54.81.71.219 18/Jun/2018:03:24:29 /open-source/performance-tuning/tcp.html
5.255.250.17 18/Jun/2018:03:24:11 /open-source/linux-break-in-howto.html
54.81.71.219 18/Jun/2018:03:24:08 /travel/japan/tokyo-asakusa/kappabashi.html
35.170.191.119 18/Jun/2018:03:23:58 /open-source/digital-camera.html
99.203.29.206 18/Jun/2018:03:23:50 /technical/dsl/
54.81.71.219 18/Jun/2018:03:23:47 /fun/requests-for-quotes/marlow-willard/Index.html
148.64.56.75 18/Jun/2018:03:23:45 /travel/turkey/mountain-trek/
66.249.79.25 18/Jun/2018:03:23:27 /travel/usa/new-york-jewish-les/houston-clinton-norfolk.html
54.81.71.219 18/Jun/2018:03:23:25 /travel/japan/osaka/Index.html
54.197.42.174 18/Jun/2018:03:23:13 /technical/samsung-galaxy/ringtones.html
54.81.71.219 18/Jun/2018:03:23:00 /cybersecurity/bulletins.html
54.81.71.219 18/Jun/2018:03:22:38 /radio/ic2sat.html
72.14.199.121 18/Jun/2018:03:22:26 /travel/turkey/temple-of-artemis/
54.172.231.1 18/Jun/2018:03:22:13 /travel/france/boat/maintenance.html
54.81.71.219 18/Jun/2018:03:22:11 /radio/j-poles.html
35.170.191.119 18/Jun/2018:03:21:58 /networking/vlan.html
54.166.169.78 18/Jun/2018:03:21:48 /travel/turkey/temple-of-artemis/
54.81.71.219 18/Jun/2018:03:21:47 /travel/usa/san-francisco-haight-ashbury/Index.html
104.13.195.137 18/Jun/2018:03:21:43 /travel/turkey/temple-of-artemis/
64.62.252.169 18/Jun/2018:03:21:29 /robots.txt
54.81.71.219 18/Jun/2018:03:21:20 /travel/turkey/ephesus/Index.html
54.237.251.68 18/Jun/2018:03:21:15 /cybersecurity/history/uss-chaumont/photos-navsourceorg.html
54.81.71.219 18/Jun/2018:03:20:46 /travel/belgium/belgian-beers/mappa-mundo.html
23.101.169.3 18/Jun/2018:03:20:38 /travel/japan/tokyo-asakusa/senso-ji.html
72.14.199.119 18/Jun/2018:03:20:29 /radio/probes.html
5.255.250.17 18/Jun/2018:03:20:20 /travel/usa/new-york-jewish-les/houston-clinton-norfolk.html
54.81.71.219 18/Jun/2018:03:20:10 /cybersecurity/syn1.html
172.2.181.46 18/Jun/2018:03:20:05 /radio/probes.html
54.88.17.122 18/Jun/2018:03:19:54 /travel/japan/koyasan/kongo-sanmai-in.html
54.173.184.243 18/Jun/2018:03:19:45 /open-source/tar-and-ssh.html
171.97.197.176 18/Jun/2018:03:19:42 /open-source/tar-and-ssh.html
17.58.102.12 18/Jun/2018:03:19:31 /open-source/google-freebsd-tls/
54.81.71.219 18/Jun/2018:03:19:14 /travel/france/normandy/utah-beach-hike.html
54.81.71.219 18/Jun/2018:03:19:13 /robots.txt
210.55.200.169 18/Jun/2018:03:17:33 /travel/france/school-lunch-menus/
216.244.66.242 18/Jun/2018:03:17:27 /robots.txt
23.101.169.3 18/Jun/2018:03:17:18 /travel/uk/glastonbury/
23.96.208.137 18/Jun/2018:03:17:15 /open-source/letsencrypt-tls-cert-godaddy.html
180.76.15.15 18/Jun/2018:03:17:11 /travel/uk/oxford-lewis-tolkien/
18.204.11.111 18/Jun/2018:03:15:44 /travel/usa/new-york-sro-flophouses/bowery-history.html
23.101.169.3 18/Jun/2018:03:15:31 /networking/wan-specs.html
190.204.154.53 18/Jun/2018:03:14:40 /travel/trinidad/port-of-spain.html
54.88.17.122 18/Jun/2018:03:11:56 /open-source/cluster.html
54.88.17.122 18/Jun/2018:03:11:55 /open-source/uefi.html
23.101.169.3 18/Jun/2018:03:10:22 /travel/france/boat/
54.88.17.122 18/Jun/2018:03:09:57 /travel/trinidad/port-of-spain.html
190.204.154.53 18/Jun/2018:03:09:42 /travel/trinidad/port-of-spain.html
23.101.169.3 18/Jun/2018:03:08:12 /travel/uk/glastonbury/chalice-spring-tor.html
76.181.192.141 18/Jun/2018:03:07:51 /open-source/raspberry-pi/sdr-ads-b-piaware-and-fr24feed.html
207.46.13.18 18/Jun/2018:03:07:21 /travel/russia/sankt-peterburg.html
73.195.249.143 18/Jun/2018:03:06:59 /open-source/tar-and-ssh.html
94.23.200.86 18/Jun/2018:03:05:24 /turkish/Index.html
94.23.200.86 18/Jun/2018:03:05:17 /robots.txt
94.23.200.86 18/Jun/2018:03:05:13 /turkish/
94.23.200.86 18/Jun/2018:03:05:09 /travel/usa/new-york-skate-manhattan/
94.23.200.86 18/Jun/2018:03:04:46 /travel/usa/new-york-mcgees/
136.243.70.68 18/Jun/2018:03:04:42 /open-source/letsencrypt-tls-cert-godaddy.html
136.243.70.68 18/Jun/2018:03:04:42 /robots.txt
94.23.200.86 18/Jun/2018:03:04:40 /travel/usa/

Here's what's going on.

Each line above is a request from a client, extracted from Apache's /var/www/logs/access_log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages