Skip to content

tanay0505/LogSentinel

BranchesTags

Repository files navigation

🛡️ Cyber Security Log Analyzer

A Python-based Security Operations Center (SOC) inspired log analysis tool designed to detect suspicious activity from Linux SSH authentication logs.

The analyzer parses Linux authentication logs, correlates events, identifies attack patterns, calculates risk scores, and generates security reports to assist in incident investigation and threat detection.

🚀 Features

🔍 Log Analysis

  • Parse Linux SSH authentication logs
  • Extract usernames, source IPs, and timestamps
  • Process failed and successful login events
  • Correlate events using timestamps

⚠️ Threat Detection

SSH Brute Force Detection

Detects multiple failed login attempts from the same IP address.

Rapid Brute Force Detection

Detects 3 or more failed login attempts occurring within 10 seconds.

Password Spraying Detection

Detects multiple usernames targeted from the same IP within a 30-second window.

Account Compromise Detection

Detects successful logins occurring shortly after multiple failed login attempts.

Blacklisted IP Detection

Detects connections originating from known malicious IP addresses listed in a blacklist.

📊 Risk Assessment

The analyzer generates a dynamic risk score based on detected threats.

Threat Levels:

  • LOW
  • MEDIUM
  • HIGH
  • CRITICAL

📄 Reporting

JSON Report Generation

Generates:

reports/auth_20260605_014725.json         
reports/compromise_20260605_015148.json  
reports/password_spray_20260605_015201.json
reports/brute_force_20260605_015137.json  
reports/normal_20260605_015157.json

Attack Summary

Provides a summary including:

  • Brute Force Attacks
  • Rapid Brute Force Attempts
  • Password Spraying Incidents
  • Compromised Accounts
  • Blacklisted IPs
  • Highest Risk IP

🎨 User Experience

  • Colorized terminal output using Colorama
  • Command-line interface (CLI)
  • Structured SOC-style reporting

🏗️ Project Structure

log-analyzer/

├── analyzer.py          # Entry point — orchestrates the pipeline
├── parser.py            # Log parsing and data extraction
├── detector.py          # Threat detection and risk scoring
├── reporter.py          # Terminal output and report generation
├── blacklist.txt        # Known malicious IPs
├── test_analyzer.py     # Unit tests (29 tests)
├── .gitignore
│
├── logs/
│   ├── auth.log
│   ├── normal.log
│   ├── brute_force.log
│   ├── password_spray.log
│   └── compromise.log
│
├── reports/
│   ├── auth_20260605_014725.json
│   ├── brute_force_20260605_015137.json
│   ├── compromise_20260605_015148.json
│   ├── normal_20260605_015157.json
│   └── password_spray_20260605_015201.json
│
├── requirements.txt
└── README.md

📦 Installation

git clone https://github.com/<your-username>/log-analyzer.git

cd log-analyzer

pip install -r requirements.txt

▶️ Usage

Analyze a log file:

python analyzer.py logs/auth.log

Test individual attack scenarios:

python analyzer.py logs/normal.log

python analyzer.py logs/brute_force.log

python analyzer.py logs/password_spray.log

python analyzer.py logs/compromise.log

🧪 Testing

The project includes 29 unit tests covering all detection rules, parsing logic, and risk scoring.

Run the full test suite:

python -m pytest test_analyzer.py -v

Expected output:

29 passed in 0.04s

Test Coverage

Module Tests
parser.py Blacklist loading, timestamp parsing, log parsing
detector.py Brute force, rapid brute force, password spraying, account compromise, blacklisted IPs, threat level calculation

🚨 Example Detections

[HIGH] SSH Brute Force Detected -> 192.168.1.5

[HIGH] Password Spraying Detected -> 45.67.89.10

[CRITICAL] Rapid Brute Force Attack -> 192.168.1.5

[CRITICAL] Possible Account Compromise -> 192.168.1.5

[CRITICAL] Blacklisted IP Detected -> 45.67.89.10

📈 Example Attack Summary

=== ATTACK SUMMARY ===

Brute Force Attacks      : 2

Rapid Brute Force        : 2

Password Spraying        : 1

Compromised Accounts     : 1

Blacklisted IPs          : 1

Highest Risk IP          : 45.67.89.10

🛠️ Technologies Used

  • Python
  • Regular Expressions (Regex)
  • CSV
  • JSON
  • Colorama
  • Datetime
  • Unittest
  • Pytest

🎯 Skills Demonstrated

  • Log Analysis
  • Threat Detection Engineering
  • Event Correlation
  • Incident Investigation
  • Security Monitoring
  • Linux Security
  • Python Development
  • SOC Fundamentals
  • Risk Assessment
  • Modular Software Design
  • Unit Testing

📚 Learning Outcomes

This project helped strengthen understanding of:

  • Security Operations Centers (SOC)
  • Defensive Security
  • Incident Response
  • Authentication Security
  • Log Correlation
  • Threat Detection Logic
  • Security Automation
  • Writing Testable, Modular Code

🚀 Future Improvements

  • Flask Dashboard
  • Real-Time Log Monitoring
  • Email Alerting
  • Apache/Nginx Log Support
  • Threat Intelligence Integration
  • GeoIP Enrichment
  • Multi-Source Log Correlation
  • Rule-Based Detection Engine

About

A Python-based SOC log analyzer that detects SSH brute force, password spraying, account compromise, and blacklisted IPs from Linux authentication logs with dynamic risk scoring and JSON reporting.

Topics

python log-analysis incident-response cybersecurity risk-assessment soc security-automation linux-security blue-team defensive-security threat-detection password-spraying ssh-security brute-force-detection

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages