Another timeline from Apache logs

Another timeline from Apache logs

Knock off from the previous timeline post. I wrote a perl script to parse the SOTM 34 log files and create an XML file for the timeline.

Clutter and Usefulness

I am not sure how useful this is. Especially if you have a lot of IPs. I think you need to implement smart aggregation methods, such that the same IP is only shown every n minutes or hours and not every time. (Maybe you already did). And then, you will also have to use aggregation with regards to subnets, I believe. Otherwise, again, the graph will be very cluttered. However, great example of how to use some of the libraries out there! Thx for submitting

I agree...I just put it

I agree...I just put it together right before bed without massaging the data. I added in a filter function on the xml creator script so it can filter specific IPs, time periods, and/or any of the data taken from the GeoIP db. I see it more for presentation than analysis at this point, but I'm gonna see what I can do with it for analysis when I get time.


If you script it... please share...


I like the bottom band with the overview of the activities. But as Raffy said, the upper band is a quite cluttered. However, if you clean it up like I did with my posted image, it will be cool and meaningful. However, I manually aggregated the single events into one.

If you put together a useful script for the features Raffy has described, I suggest you share it. I think there is great value for timelines in several areas. I had very positive freedback from IT forensic students at university.


Will do...

Will do. I'll work on it and post it in the near future for all to use or hack at.