A comprehensive log analysis tool for security monitoring that detects attacks, brute force attempts, and suspicious activities across syslog, Apache logs, and custom log files.
- 🔍 Multi-format Support: Analyzes syslog, auth.log, Apache access logs
- 🚨 Threat Detection: SQL injection, XSS, command injection, path traversal
- 📊 Brute Force Detection: Identifies SSH brute force attempts
- 🔗 Event Correlation: Links related events across different logs
- 📈 Report Generation: JSON output with statistics and findings
- 🎯 IP Tracking: Extracts and tracks suspicious IP addresses
- ⚡ Real-time Analysis: Process logs as they're written
# Clone the repository
git clone https://github.com/joshuaguda281-stack/log-analyzer.git
cd log-analyzer
# No external dependencies required!
# Uses only Python standard library
# Analyze SSH authentication logs
python3 log_analyzer.py /var/log/auth.log
# Analyze Apache web server logs
python3 log_analyzer.py /var/log/apache2/access.log
# Analyze multiple logs
python3 log_analyzer.py /var/log/auth.log /var/log/apache2/access.log
# Analyze custom log file
python3 log_analyzer.py /path/to/custom.log
[*] Analyzing syslog: /var/log/auth.log
[+] Found 1523 events
[+] Found 3 brute force alerts
[!] ALERT: SSH_BRUTE_FORCE
Severity: HIGH
Source IP: 45.33.22.11
Details: SSH brute force detected from 45.33.22.11
[!] ALERT: SQL_INJECTION
Severity: HIGH
Details: SQL injection attempt: /page.php?id=1' OR '1'='1
========================================
LOG ANALYSIS REPORT
========================================
Total Events Analyzed: 2456
Alerts Generated: 12
Suspicious IPs Found: 4
ALERTS BY TYPE:
SSH_BRUTE_FORCE: 3
SQL_INJECTION: 5
PATH_TRAVERSAL: 2
PRIVILEGE_ESCALATION: 2
SUSPICIOUS IP ADDRESSES:
45.33.22.11
185.130.5.253
94.102.61.78
[+] Full report saved to log_analysis_report_20240115_143000.json
Detection Patterns
Pattern Type Severity Description
SQL Injection HIGH UNION SELECT, DROP TABLE, comment injection
XSS MEDIUM Script tags, event handlers, javascript: URIs
Command Injection CRITICAL Semicolon, pipe, subshell commands
Path Traversal HIGH ../ and ..\ patterns
SSH Brute Force HIGH Multiple failed passwords from same IP
Privilege Escalation CRITICAL sudo/su success to root
Port Scan MEDIUM Nmap, masscan detection
Persistence HIGH Cron job or service creation
Report Format
The tool generates a JSON report containing:
{
"timestamp": "2024-01-15T14:30:00",
"total_events": 2456,
"alerts_generated": 12,
"suspicious_ips": ["45.33.22.11", "185.130.5.253"],
"alerts_by_type": {
"SSH_BRUTE_FORCE": 3,
"SQL_INJECTION": 5
},
"severity_breakdown": {
"HIGH": 8,
"CRITICAL": 4
},
"alerts": [...]
}
Use Cases
SOC Analyst: Daily log review and threat hunting
Incident Response: Investigate security incidents
Compliance: Generate audit reports
Security Monitoring: Real-time alerting on attacks
Configuration
No configuration file needed! The tool works out of the box with sensible defaults.
Requirements
Python 3.6 or higher
No external dependencies (uses only standard library)
Author
Joshua Guda
GitHub: @joshuaguda281-stack
LinkedIn: Joshua Guda
License
MIT License - See LICENSE file for details.
Contributing
Contributions welcome! Please open an issue or submit a pull request.
Support
If you find this tool useful, please ⭐ star the repository!