A Python tool that parses SSH-style authentication logs, counts failed login attempts per IP address, and flags IPs that show signs of brute-force attacks.
SOC analysts and blue teams spend a lot of time sifting through log files to spot attack patterns. This project automates that process — turning raw, noisy log data into a clear, actionable report, which is exactly the kind of detection logic used in real SIEM tools like Splunk or the ELK stack.
- Parses standard SSH auth log format using regex
- Counts failed attempts per IP address
- Tracks how many unique usernames were tried per IP (a common brute-force indicator)
- Flags IPs exceeding a configurable threshold as "SUSPICIOUS"
- Optional CSV export for reporting
- Python 3
re(regex) for log parsingcollections.defaultdictfor countingcsv(standard library) for exportargparsefor CLI arguments
git clone https://github.com/yourusername/log-analyzer.git
cd log-analyzer
python log_analyzer.py sample_auth.logChange the sensitivity or export a CSV report:
python log_analyzer.py sample_auth.log --threshold 3 --output report.csvA sample log file (sample_auth.log) is included so you can test it immediately without needing your own server logs.
=================================================================
Failed Login Report
=================================================================
IP Address Attempts Unique Users Tried Status
-----------------------------------------------------------------
192.168.1.50 6 5 SUSPICIOUS
203.0.113.7 2 1 ok
10.0.0.15 1 1 ok
-----------------------------------------------------------------
Total unique IPs seen : 3
Suspicious IPs (>= 5 attempts): 1
Flagged: 192.168.1.50
=================================================================
- How to write regex patterns to reliably parse semi-structured log data
- How brute-force attacks look at the log level (many attempts, many different usernames, from one IP)
- How to design a configurable detection threshold instead of hardcoding rules
- How real SOC/blue team tooling turns raw logs into decisions
- Support multiple log formats (Apache, Windows Event Logs, etc.)
- Add time-window based detection (e.g. 10 attempts within 60 seconds)
- Integrate with an IP reputation API (like AbuseIPDB) to check if flagged IPs are known bad actors
- Add a simple visualization (bar chart of top offending IPs)