Group Members:
- Myroslav Sliusarchuk - c00307847
- Nikita Volovei - c00306890
- Nazariy Buryak - c00305614
A Python tool that analyzes security logs to detect:
- Brute-force attacks (multiple failed login attempts)
- SQLmap scans (SQL injection testing tools)
- Attack patterns by IP address, time, and frequency
The tool reads log files line-by-line, identifies security threats, and generates reports with statistics and charts.
- Python 3.6+
- matplotlib library
Install dependencies:
pip install matplotlib1. Run the tool:
python log_analyzer.py2. Choose from the menu:
- View summary statistics
- See failed login attempts
- Check brute-force attack details
- Generate visual charts
- Export reports
3. Exit to save:
All results are automatically saved to log_summary.txt and top_attackers_chart.png.
Reads your log file line-by-line and extracts:
- Timestamps
- IP addresses
- Event types (failed/successful logins)
- SQLmap signatures in User-Agent strings
Uses a sliding window algorithm:
- Groups failed logins by IP address
- Checks if an IP has multiple failures within a time window
- Example: 5+ failed attempts in 10 minutes = brute-force attack
Creates detailed reports showing:
- Total failed attempts per IP
- When attacks started and ended
- Hourly and daily activity patterns
- Top attacking IPs with visual charts
python log_analyzer.pyMenu Options:
- Summary statistics
- Failed logins by IP
- Brute-force attack details
- Detailed statistical breakdown
- Generate charts
- SQLmap scanning details
- Exit (saves reports)
Analyze a specific log file:
python log_analyzer.py --logfile /var/log/auth.logAdjust detection sensitivity:
python log_analyzer.py --threshold 10 --timeframe 5--threshold: Minimum failed attempts to flag as attack (default: 5)--timeframe: Time window in minutes (default: 10)
Run without menu (automated):
python log_analyzer.py --no-menuSilent mode (no popups, for automation):
python log_analyzer.py --no-menu --silent --quiet| Option | Description | Default |
|---|---|---|
--logfile, -f |
Log file to analyze | CA1_project.log |
--threshold, -t |
Failed attempts to trigger alert | 5 |
--timeframe, -m |
Time window in minutes | 10 |
--no-menu |
Skip interactive menu | Off |
--silent |
Don't show chart windows | Off |
--quiet, -q |
No console output | Off |
--save-summary, -s |
Save report to file | log_summary.txt |
--include-timestamp |
Add timestamp to report | Off |
settings.json (auto-created):
{
"show_continue_prompt": true
}true: Pause after each menu action (review output before continuing)false: No pauses (faster navigation)
log_summary.txt Complete analysis report containing:
- Summary statistics
- Failed login rankings
- Brute-force incident details
- Hourly/daily patterns
- SQLmap detections
top_attackers_chart.png Visual bar chart showing:
- Top attacking IP addresses
- Number of failed attempts per IP
- Red threshold line
- Annotations for worst offenders
Quick analysis:
python log_analyzer.py -f auth.log -t 8 -m 15Generate timestamped report:
python log_analyzer.py --no-menu --save-summary report.txt --include-timestampAutomated daily scan:
python log_analyzer.py --no-menu --silent --quiet -s /reports/scan_$(date +%Y%m%d).txtError: File not found
python log_analyzer.py --logfile /path/to/your/log.logError: No module named 'matplotlib'
pip install matplotlibNo attacks detected? Lower the threshold for testing:
python log_analyzer.py --threshold 1Chart doesn't show?
Check for top_attackers_chart.png in the same directory. Use --silent to skip popups.
Authentication logs:
Jan 15 10:23:45 server sshd[1234]: Failed password for user from 192.168.1.100
Jan 15 10:24:10 server sshd[1235]: Accepted password for user from 192.168.1.50
Web logs (for SQLmap detection):
192.168.1.100 - - [15/Jan/2025:10:23:45] "GET /test.php" 200 "sqlmap/1.6#stable"