siva404e/security-log-analyzer

# SecureLog — Security Log Analyzer & Threat Dashboard 🔍 **A Flask-based threat intelligence dashboard that parses SSH authentication logs to detect brute force attacks, suspicious IPs, credential breach indicators, and targeted usernames — visualized through an interactive dark-themed web interface.** ## Dashboard Preview Log File: auth.log (2,847 entries) ┌──────────────────────────────────────────────────────────────┐ │ 🚨 CRITICAL THREAT DETECTED │ │ 14 brute force IPs detected — 1,243 failed login attempts │ ├────────────────┬─────────────┬──────────────┬───────────────┤ │ Total Records │ Failed Logins│ Brute Force │ Unique IPs │ │ 2,847 │ 1,243 │ 14 │ 67 │ ├────────────────┴─────────────┴──────────────┴───────────────┤ │ Top Attacker: 45.33.32.156 — 847 attempts [CRITICAL] │ │ ⚠️ BREACH DETECTED: 192.168.100.55 failed then succeeded │ └──────────────────────────────────────────────────────────────┘ ## Features - **SSH Brute Force Detection** — flags IPs exceeding the configurable failed-login threshold - **Breach Detection** — alerts when a previously-failed IP later achieves a successful login (T1078) - **Suspicious IP Analysis** — identifies high-frequency IPs and known suspicious IP ranges - **Targeted Username Tracking** — surfaces most-attacked accounts (root, admin, ubuntu) - **Interactive Charts** — top 10 attacking IPs (bar) and most targeted usernames (doughnut) via Chart.js - **Threat Severity Scoring** — CRITICAL / HIGH / MEDIUM / LOW per attacker IP based on attempt count - **Rule-based security recommendations generated from detected threat patterns** — actionable remediation steps - **Multi-Format Log Support** — parses `.log`, `.txt`, and `.csv` files - **CSV Export** — exports brute force findings for incident documentation and ticketing - **Automatic File Cleanup** — uploaded logs deleted from server after analysis ## MITRE ATT&CK Coverage | Detection | MITRE ID | Tactic | |------------------------------------|------------|---------------------| | SSH brute force detection | T1110.001 | Credential Access | | Failed → successful login (breach) | T1078 | Initial Access | | High-frequency IP analysis | T1110 | Credential Access | | Suspicious IP range flagging | T1133 | Initial Access | | Targeted username tracking | T1110.003 | Credential Access | ## Tech Stack | Component | Technology | |-----------------|-------------------------------------| | Backend | Python 3.x, Flask | | Log Parsing | Python `re`, `csv`, `collections` | | Charts | Chart.js 4.4 | | Frontend | Vanilla JS, CSS3 (dark theme) | | File Handling | Werkzeug `secure_filename` | ## Setup & Installation ### 1. Clone the repository git clone https://github.com/siva404e/security-log-analyzer.git cd security-log-analyzer ### 2. Install dependencies pip install -r requirements.txt ### 3. Run the dashboard python log_dashboard.py Open your browser at **http://127.0.0.1:5001** ## Usage 1. **Upload Log File** — click "📁 Browse Files" and select a `.log`, `.txt`, or `.csv` file 2. **Analyze** — click "🔬 ANALYZE LOG FILE" 3. **Review Results:** - Alert banner (CRITICAL / WARNING / SAFE status) - Stat cards — total records, failed logins, brute force IPs, unique IPs - Charts — top attacking IPs and targeted usernames - Brute force table with threat severity per IP - Suspicious IP table with reason tagging - Security recommendations ### Try it with the sample log A ready-to-use sample log file is included for quick demo: # Upload this file through the dashboard UI: samples/sample_auth.log ## Supported Log Formats ### SSH Auth Log (`.log` / `.txt`) Nov 15 10:23:45 server sshd[1234]: Failed password for invalid user admin from 192.168.1.100 port 22 ssh2 Nov 15 10:23:50 server sshd[1234]: Accepted password for root from 192.168.1.50 port 22 ssh2 ### CSV Format Supports columns: `source_ip`, `foreign_ip`, `ip`, `username`, `user`, `timestamp` ## Configuration Edit `log_dashboard.py` to adjust detection thresholds: BRUTE_FORCE_THRESHOLD = 5 # Failed attempts before IP is flagged SUSPICIOUS_IP_THRESHOLD = 3 # Hit count to flag high-frequency IPs SUSPICIOUS_IP_RANGES = [ # IP ranges auto-flagged as suspicious "192.168.100.", "10.0.0." ] ## Threat Severity Levels | Level | Criteria | Recommended Action | |--------------|-------------------|---------------------------------| | **CRITICAL** | > 500 attempts | Immediate firewall block | | **HIGH** | 100–500 attempts | Investigate and consider block | | **MEDIUM** | 20–100 attempts | Monitor and log | | **LOW** | < 20 attempts | Track for patterns | ## API Endpoints ### `GET /` Serves the main dashboard UI. ### `POST /analyze` Accepts an uploaded log file and returns threat analysis. **Request:** `multipart/form-data` with `file` field **Response:** { "total_lines": 1000, "total_failed": 150, "brute_force_count": 5, "unique_ips": 45, "threshold": 5, "brute_force": [ { "ip": "45.33.32.156", "count": 250, "users": ["admin", "root"] } ], "suspicious_ips": [], "top_ips": [], "top_users": [], "breach_detected": false, "recommendations": [] } ### `POST /export` Returns brute force findings as a downloadable CSV report. ## Project Structure security-log-analyzer/ ├── log_dashboard.py # Flask app — routes, log parsing, analysis logic, UI ├── requirements.txt # Python dependencies ├── samples/ │ └── sample_auth.log # Sample SSH auth log for demo and testing ├── README.md └── LICENSE ## Limitations & Known Gaps - Parses SSH auth log format only — Windows Event Logs and syslog require format extension - No persistent storage — analysis results are not saved between sessions - SUSPICIOUS_IP_RANGES are hardcoded — production use would integrate a threat intel feed - Not a substitute for a full SIEM (Splunk, Elastic SIEM, Microsoft Sentinel) ## Future Improvements ## Author **Sivamuthu Selvadurai M** Cybersecurity enthusiast focused on SOC operations, log analysis, and blue team tooling. GitHub: [siva404e](https://github.com/siva404e) ## License MIT License — see [LICENSE](LICENSE) for details.