Skip to content

Lek-glitch/Log-analyzer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 

Repository files navigation

Failed Login / Brute-Force Log Analyzer

A Python tool that parses SSH-style authentication logs, counts failed login attempts per IP address, and flags IPs that show signs of brute-force attacks.

Why I Built This

SOC analysts and blue teams spend a lot of time sifting through log files to spot attack patterns. This project automates that process — turning raw, noisy log data into a clear, actionable report, which is exactly the kind of detection logic used in real SIEM tools like Splunk or the ELK stack.

Features

  • Parses standard SSH auth log format using regex
  • Counts failed attempts per IP address
  • Tracks how many unique usernames were tried per IP (a common brute-force indicator)
  • Flags IPs exceeding a configurable threshold as "SUSPICIOUS"
  • Optional CSV export for reporting

Technologies Used

  • Python 3
  • re (regex) for log parsing
  • collections.defaultdict for counting
  • csv (standard library) for export
  • argparse for CLI arguments

How to Run

git clone https://github.com/yourusername/log-analyzer.git
cd log-analyzer
python log_analyzer.py sample_auth.log

Change the sensitivity or export a CSV report:

python log_analyzer.py sample_auth.log --threshold 3 --output report.csv

A sample log file (sample_auth.log) is included so you can test it immediately without needing your own server logs.

Sample Output

=================================================================
 Failed Login Report
=================================================================
IP Address           Attempts   Unique Users Tried   Status
-----------------------------------------------------------------
192.168.1.50         6          5                    SUSPICIOUS
203.0.113.7          2          1                    ok
10.0.0.15            1          1                    ok
-----------------------------------------------------------------
 Total unique IPs seen : 3
 Suspicious IPs (>= 5 attempts): 1
 Flagged: 192.168.1.50
=================================================================

What I Learned

  • How to write regex patterns to reliably parse semi-structured log data
  • How brute-force attacks look at the log level (many attempts, many different usernames, from one IP)
  • How to design a configurable detection threshold instead of hardcoding rules
  • How real SOC/blue team tooling turns raw logs into decisions

Future Improvements

  • Support multiple log formats (Apache, Windows Event Logs, etc.)
  • Add time-window based detection (e.g. 10 attempts within 60 seconds)
  • Integrate with an IP reputation API (like AbuseIPDB) to check if flagged IPs are known bad actors
  • Add a simple visualization (bar chart of top offending IPs)

About

A security-focused log analysis tool built in Python to parse system and application logs, identify anomalies and detect potential indicators of compromise

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages