EventMapper is a set of scripts to analyse and present information about network events on your servers. From a supported log file format, it will extract events, and produce a geographic heatmap indicating which regions are causing problems.
I started this project after a number of friends were conjecturing that the majority of spam and malicious network traffic originates from a small number of countries that are stereotyped as havens of criminal activity, such as Russia and China. I wanted to examine whether this is an appropriate characterisation of network traffic originating from these areas, and created a script to extract a heatmap of activity from the server logs.
After interest was expressed in repeating this analysis on others' networks, I decided to clean up and release the code.
The primary (and only, at present) output format for this tool is a graphical heatmap that can be used with tools such as Google Earth to visualise this network data atop a map of the world. If you have Google Earth installed, you may view the example plot, taken straight from my servers' Exim log files.
Alternately, if you do not have an application that supports KML installed, you can view the example plot superimposed on NASA's Blue Marble imagery, which also uses the same map projection as EventMapper's output.
You can get the initial release of EventMapper here. The download is approximately 20mb, of which the geolocation data comprises the majority. The scripts are only a handful of kilobytes.
The initial release has been tested with two log file formats:
If you have any comments or queries, email me at eventmapper at this.domain.org.
The set of scripts are released under the BSD license, as per the COPYRIGHT file included in the release. Please note that the IP geolocation data is provided by MaxMind as part of their GeoLite City product, and different license terms apply to the database portion of the release.
