Rack of Ethernet switches.

Visualizing Log Patterns with Color

Nginx and Apache Logs in Color

Web server logs reveal patterns of activity by web crawlers. Some are indexing crawlers operated by search engines, some are mysterious. Another pattern is systematic blind searches for vulnerable server-side executables or other configuration problems. The pattern you want to see is the interested user who follows some path through the hyperlinks on your site, taking time to read the pages.

Maybe we could use color to help spot these patterns?

Maybe...

First, let's look at the result, then the explanation comes later. Here are the most recent client requests, starting most recent first. Your request for this page won't appear there as it isn't complete by the time this page was automatically generated with PHP. But if you reload the page you should see your initial request near the top.

176.63.30.99 HU, Hungary 06/May/2021:17:56:06 /travel/usa/new-york-phone-booths/
92.101.204.179 RU, Russian Federation 06/May/2021:17:56:04 /travel/usa/new-york-marvel/
2.228.232.177 IT, Italy 06/May/2021:17:55:36 /networking/vlan.html
135.245.48.77 US, United States 06/May/2021:17:54:59 /open-source/performance-tuning/nfs.html
116.179.32.217 CN, China 06/May/2021:17:54:13 /open-source/samba-active-directory/samba.html
3.227.0.150 US, United States 06/May/2021:17:54:09 /travel/latvia/
3.227.0.150 US, United States 06/May/2021:17:54:09 /robots.txt
80.215.13.56 FR, France 06/May/2021:17:54:01 /oliver-cromwell/crom-fu-fighting.html
66.249.79.3 US, United States 06/May/2021:17:53:22 /travel/uk/scapa-flow/Index.html
34.199.145.87 US, United States 06/May/2021:17:53:11 /ads.txt
46.9.150.225 NO, Norway 06/May/2021:17:52:55 /open-source/google-freebsd-tls/tls-certificate.html
183.90.160.2 VN, Vietnam 06/May/2021:17:52:38 /technical/convert-youtube-to-xvid.html
209.190.59.92 US, United States 06/May/2021:17:52:36 /open-source/migrate-rhel-to-centos.html
99.228.227.143 CA, Canada 06/May/2021:17:52:07 /open-source/performance-tuning/ethernet.html
204.15.208.36 Unknown 06/May/2021:17:52:00 /technical/hdmi.html
67.162.124.176 US, United States 06/May/2021:17:51:45 /cybersecurity/how-rsa-works.html?infolinks=no
193.186.4.105 IE, Ireland 06/May/2021:17:51:12 /technical/dsl/
178.250.0.51 FR, France 06/May/2021:17:51:09 /cybersecurity/scam-analysis.html
66.249.79.3 US, United States 06/May/2021:17:51:03 /travel/usa/new-york-revolutionary/catholic-worker.html
66.249.79.5 US, United States 06/May/2021:17:51:02 /travel/italy/amalfi/02-the-sights-in-amalfi-and-atrani.html
66.249.79.7 US, United States 06/May/2021:17:51:02 /travel/france/budget-hotels/
66.249.79.3 US, United States 06/May/2021:17:51:01 /travel/uk/edinburgh/
65.112.193.194 US, United States 06/May/2021:17:50:52 /open-source/migrate-rhel-to-centos.html
2.228.232.177 IT, Italy 06/May/2021:17:50:50 /cybersecurity/crypto/cipher-strength.html?s=tb
91.240.30.201 PL, Poland 06/May/2021:17:50:40 /travel/france/ronin/
93.158.161.51 RU, Russian Federation 06/May/2021:17:50:37 /site-map.html
93.158.161.51 RU, Russian Federation 06/May/2021:17:50:34 /robots.txt
193.186.4.101 IE, Ireland 06/May/2021:17:50:34 /technical/dsl/
40.77.167.72 US, United States 06/May/2021:17:50:18 /travel/usa/new-york-marvel/
54.224.123.153 US, United States 06/May/2021:17:50:12 /travel/usa/new-york-hp-lovecraft/
114.119.142.232 CN, China 06/May/2021:17:50:10 /travel/usa/new-york-jewish-les/stanton-rivington.html
74.119.119.41 US, United States 06/May/2021:17:50:10 /open-source/performance-tuning/disks.html
74.119.118.51 US, United States 06/May/2021:17:50:08 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
197.25.213.127 TN, Tunisia 06/May/2021:17:50:06 /3d/histogram/
148.72.152.247 US, United States 06/May/2021:17:50:04 /open-source/performance-tuning/disks.html
189.6.30.176 BR, Brazil 06/May/2021:17:49:57 /open-source/performance-tuning/disks.html
204.15.208.39 Unknown 06/May/2021:17:49:37 /travel/usa/new-york-phone-booths/
74.119.118.49 US, United States 06/May/2021:17:49:26 /open-source/package-management.html
45.225.214.27 AR, Argentina 06/May/2021:17:49:19 /open-source/package-management.html
35.155.29.68 US, United States 06/May/2021:17:49:16 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
67.162.124.176 US, United States 06/May/2021:17:49:16 /cybersecurity/how-rsa-works.html?infolinks=no
54.159.154.172 US, United States 06/May/2021:17:49:15 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
23.24.240.129 US, United States 06/May/2021:17:49:13 /open-source/raspberry-pi/sdr-ads-b-flight-tracking.html
74.119.118.50 US, United States 06/May/2021:17:49:09 /travel/usa/new-york-internet/
66.249.79.5 US, United States 06/May/2021:17:49:07 /open-source/dev-random.html
99.228.152.209 CA, Canada 06/May/2021:17:48:59 /cybersecurity/comptia/domain-2.html
51.222.180.139 FR, France 06/May/2021:17:48:57 /open-source/performance-tuning/tcp.html
99.228.152.209 CA, Canada 06/May/2021:17:48:56 /cybersecurity/comptia/domain-1.html
34.90.221.27 US, United States 06/May/2021:17:48:41 /cybersecurity/
34.90.221.27 US, United States 06/May/2021:17:48:41 /turkish/
34.90.221.27 US, United States 06/May/2021:17:48:41 /radio/
34.90.221.27 US, United States 06/May/2021:17:48:41 /open-source/
34.90.221.27 US, United States 06/May/2021:17:48:41 /networking/
34.90.221.27 US, United States 06/May/2021:17:48:41 /fun/
34.90.221.27 US, United States 06/May/2021:17:48:40 /russian/
34.90.221.27 US, United States 06/May/2021:17:48:40 /3d/
34.90.221.27 US, United States 06/May/2021:17:48:40 /travel/
34.90.221.27 US, United States 06/May/2021:17:48:40 /technical/
34.90.221.27 US, United States 06/May/2021:17:48:40 /
34.90.221.27 US, United States 06/May/2021:17:48:39 /
216.2.193.1 US, United States 06/May/2021:17:48:26 /travel/usa/new-york-internet/
73.172.55.214 US, United States 06/May/2021:17:48:09 /open-source/openbsd-qemu-windows-howto.html
88.99.195.232 DE, Germany 06/May/2021:17:47:53 /cybersecurity/crypto/cipher-strength.html?s=tb
147.92.153.11 JP, Japan 06/May/2021:17:47:43 /fun/foxnews.html
52.23.250.163 US, United States 06/May/2021:17:47:32 /technical/hdmi.html
67.162.124.176 US, United States 06/May/2021:17:47:32 /cybersecurity/how-rsa-works.html?infolinks=no
54.36.148.119 FR, France 06/May/2021:17:47:32 /travel/italy/cinque-terre/?s=tb
3.223.183.74 US, United States 06/May/2021:17:47:15 /technical/hdmi.html
208.59.112.18 US, United States 06/May/2021:17:47:13 /technical/hdmi.html
54.162.19.63 US, United States 06/May/2021:17:46:39 /
18.234.180.230 US, United States 06/May/2021:17:46:38 /travel/usa/new-york-phone-booths/
54.92.174.17 US, United States 06/May/2021:17:45:03 /travel/usa/new-york-phone-booths/
66.249.79.3 US, United States 06/May/2021:17:45:00 /travel/uk/ben-nevis/
45.225.214.27 AR, Argentina 06/May/2021:17:44:39 /technical/samsung-galaxy/linux.html
72.14.199.101 US, United States 06/May/2021:17:44:38 /cybersecurity/how-rsa-works.html?infolinks=no
67.162.124.176 US, United States 06/May/2021:17:44:17 /cybersecurity/how-rsa-works.html?infolinks=no
74.119.118.49 US, United States 06/May/2021:17:44:10 /travel/usa/new-york-phone-booths/
54.36.148.224 FR, France 06/May/2021:17:43:54 /travel/italy/trains/
87.101.35.114 PL, Poland 06/May/2021:17:43:50 /open-source/performance-tuning/ethernet.html
177.225.136.32 MX, Mexico 06/May/2021:17:43:41 /turkish/orthography.html
3.14.252.42 US, United States 06/May/2021:17:43:34 /open-source/performance-tuning/tcp.html
31.124.54.246 GB, United Kingdom 06/May/2021:17:43:23 /cybersecurity/pki-failures.html
84.47.62.35 SK, Slovakia 06/May/2021:17:43:18 /travel/turkey/temple-of-artemis/
114.119.149.118 CN, China 06/May/2021:17:43:11 /travel/china/hong-kong.html
97.81.220.167 US, United States 06/May/2021:17:43:02 /radio/tv-antenna.html
3.87.157.111 US, United States 06/May/2021:17:42:58 /cybersecurity/how-rsa-works.html
72.89.97.82 US, United States 06/May/2021:17:42:56 /travel/usa/new-york-phone-booths/
35.231.37.55 US, United States 06/May/2021:17:42:56 /open-source/
3.236.165.32 US, United States 06/May/2021:17:42:47 /travel/uk/dover/
72.14.199.98 US, United States 06/May/2021:17:42:42 /travel/uk/dover/
67.162.124.176 US, United States 06/May/2021:17:42:21 /cybersecurity/how-rsa-works.html?infolinks=no
82.64.38.24 FR, France 06/May/2021:17:41:53 /open-source/performance-tuning/file-systems.html
125.177.138.146 KR, Korea, Republic of 06/May/2021:17:41:49 /open-source/torrent-magnet-links.html
35.173.18.250 US, United States 06/May/2021:17:41:35 /travel/japan/kofun/empress-hibasuhime.html?s=tb
3.22.12.117 US, United States 06/May/2021:17:41:25 /cybersecurity/crypto/diffie-hellman.html?s=tb
35.231.37.55 US, United States 06/May/2021:17:41:17 /open-source/google-freebsd-tls/apache-http2-php.html
192.99.1.145 CA, Canada 06/May/2021:17:41:15 /travel/japan/kofun/empress-hibasuhime.html?s=tb
173.70.215.43 US, United States 06/May/2021:17:40:47 /networking/netstat-s.html
2.154.245.209 ES, Spain 06/May/2021:17:40:47 /travel/france/jim-morrison-paris.html
66.249.79.5 US, United States 06/May/2021:17:40:41 /open-source/samba-active-directory/samba.html
54.36.149.96 FR, France 06/May/2021:17:40:19 /travel/france/mont-saint-michel-saint-malo/pontorson.html
54.167.125.111 US, United States 06/May/2021:17:40:07 /cybersecurity/crypto/diffie-hellman.html
54.167.125.111 US, United States 06/May/2021:17:40:06 /cybersecurity/crypto/diffie-hellman.html?s=tb
40.77.167.89 US, United States 06/May/2021:17:40:00 /robots.txt
199.166.0.200 US, United States 06/May/2021:17:39:32 /travel/usa/new-york-mcgees/
207.107.155.100 CA, Canada 06/May/2021:17:39:27 /travel/usa/new-york-mcgees/
135.125.219.40 US, United States 06/May/2021:17:39:22 /travel/japan/kofun/empress-hibasuhime.html?s=tb
88.198.16.182 DE, Germany 06/May/2021:17:39:20 /travel/japan/kofun/empress-hibasuhime.html?s=tb
17.121.114.1 US, United States 06/May/2021:17:39:16 /travel/japan/kofun/empress-hibasuhime.html?s=tb
34.77.121.201 US, United States 06/May/2021:17:39:07 /travel/japan/kofun/empress-hibasuhime.html?s=tb
132.145.15.209 US, United States 06/May/2021:17:39:03 /cybersecurity/crypto/diffie-hellman.html
132.145.15.209 US, United States 06/May/2021:17:39:02 /cybersecurity/crypto/diffie-hellman.html?s=tb
51.161.115.226 FR, France 06/May/2021:17:39:02 /travel/japan/kofun/empress-hibasuhime.html?s=tb
54.39.50.78 CA, Canada 06/May/2021:17:39:02 /travel/japan/kofun/empress-hibasuhime.html?s=tb
66.249.79.5 US, United States 06/May/2021:17:39:01 /travel/france/budget-hotels/
199.59.150.183 US, United States 06/May/2021:17:39:01 /travel/japan/kofun/empress-hibasuhime.html?s=tb
94.177.248.146 GB, United Kingdom 06/May/2021:17:38:46 /travel/usa/washington-lee-mansion/?s=tb
116.202.35.95 IN, India 06/May/2021:17:38:06 /travel/france/avignon/avignon-papacy.html?s=tb
73.25.99.142 US, United States 06/May/2021:17:37:46 /open-source/raspberry-pi/openvas.html

Here's what's going on.

Each line above is a request from a client, extracted from Nginx's /var/www/logs/httpd-access.log file. The client IP address, timestamp, and requested path were selected with awk and the client IP address converted to a country if possible with geoiplookup.

The first 3 octets or first 24 bits of the IP address are used to specify the hue, with chroma at 75% and intensity at 100%. The resulting red, green, and blue values are scaled to the range of 0-255 and printed as two-character hexadecimal in an HTML style string.

Low-numbered /8 networks appear as red, 20.0.0.0/8 through 40.0.0.0/8 are orange shifting to yellow, 50.0.0.0/8 through 110.0.0.0/8 are shades of green, the /16 networks 130.0.0.0/16 through about 180.0.0.0/16 are shades of blue, then it's shades of purple into magenta for the /24 networks 192.0.0.0/24 and up through 223.255.255.0/24.

The HTML file on the server has a line where PHP uses passthru() to call the following shell script:

#!/bin/sh

# Initial pipeline:
# tail		Just the last 200 (or slightly less after the grep)
# grep		... just the requests out of that
# cat | sort	... put into reverse order
# sed		... remove the quotes and square brackets
# awk		... print the IP address twice, timestamp, and requested path
# sed		... remove the first 3 dots to split first version of IP
#			address into octets, and remove any characters that
#			could cause trouble when inserted into this page
# I need to use the client IP address, field #5 at that point, to call
# geoiplookup.  So, send the initial pipeline into a while loop that
# assigns variables, sets a new variable, and then echoes the resulting
# collection into awk.
tail -200 /var/www/logs/access_log |
	grep 'GET.*200' |
	cat -n | sort -nr |
	sed -e 's/"/ /g' -e 's/\[//g' -e 's/\]//g' |
	awk '{print $2, $2, $5, $8}' |
	sed -e 's/\./ /' -e 's/\./ /' -e 's/\./ /' -e 's/[<>]//g' |
	while read IP1 IP2 IP3 IP4 CLIENTIP TIMESTAMP URL
	do
		COUNTRY=$( geoiplookup $CLIENTIP |
				sed 's/.*Edition: //' |
				sed 's/IP Address not found/Unknown/' )
		echo $IP1 $IP2 $IP3 $IP4 $CLIENTIP $COUNTRY $TIMESTAMP $URL |
		awk '{
			ip1 = $1;
			ip2 = $2;
			ip3 = $3;
			chroma = 0.75;
			hue = 6*(ip1*255*255 + ip2*255 + ip3)/(255*255*255);
			if (hue%2 > 1) {
				x = chroma*(1.0 - (hue%2 - 1));
			} else {
				x = chroma*(1.0 - (1 - hue%2));
			}
			if (hue < 1.0) {
				r = chroma;
				g = x;
				b = 0;
			} else if (hue < 2.0) {
				r = x;
				g = chroma;
				b = 0;
			} else if (hue < 3.0) {
				r = 0;
				g = chroma;
				b = x;
			} else if (hue < 4.0) {
				r = 0;
				g = x;
				b = chroma;
			} else if (hue < 5.0) {
				r = x;
				g = 0;
				b = chroma;
			} else {
				r = chroma;
				g = 0;
				b = x;
			}
			r = (r + 0.25)*255;
			g = (g + 0.25)*255;
			b = (b + 0.25)*255;

			printf("<div class=\"col-12 textleft\" ");
			printf("style=\"color:#000; background:#%02x%02x%02x;\"> ", r, g, b);
			for (i = 5; i <= NF; i++) {
				printf("%s ", $i);
			}
			printf("</div>\n");
		}'
	done 

Other Pages