A Python-based tool that analyzes Linux authentication logs to detect suspicious SSH login activity.
This project was built to help me learn cybersecurity concepts such as log parsing, failed authentication detection, and basic incident analysis.
- Parses Linux authentication log entries (
auth.log-style) - Extracts key fields:
- Timestamp
- Event type (failed / accepted)
- Username
- IP address
- Reads a saved log file and reports:
- Total lines read
- Parsed authentication events
- Failed login count
- Accepted login count
- Aggregates failed login attempts by IP address
- Assigns severity levels based on thresholds:
- 🟢 LOW (1–2 failed attempts)
- 🟡 MEDIUM (3–4 failed attempts)
- 🔴 HIGH (5+ failed attempts)
- Prints human-readable alerts to the terminal
- Generates a structured JSON report (
report.json) for basic incident triage - Includes unit tests using
pytest
security-log-analyzer/
├── parser.py # Parses individual authentication log lines
├── analyze_file.py # Reads a log file and summarizes events
├── sample_auth.log # Sample authentication log for testing
├── test_parser.py # Unit tests for the parser
├── .gitignore
├── LICENSE
└── README.md
python analyze_file.pypytest test_parser.pyLines read: 1000
Parsed events: 1000
Failed events: 881
Accepted events: 30
Alerts:
10.0.0.8: 3 failed attempts - MEDIUM
185.199.110.153: 160 failed attempts - HIGH
198.51.100.24: 146 failed attempts - HIGH
176.58.123.77: 141 failed attempts - HIGH
192.168.1.10: 7 failed attempts - HIGH
45.83.12.91: 208 failed attempts - HIGH
103.214.5.17: 171 failed attempts - HIGH
172.16.0.4: 2 failed attempts - LOW
192.168.1.5: 1 failed attempts - LOW
91.92.109.43: 38 failed attempts - HIGH
10.0.0.22: 4 failed attempts - MEDIUM{
"alerts": [
{
"attempts": 3,
"ip": "10.0.0.8",
"severity": "MEDIUM"
},
{
"attempts": 160,
"ip": "185.199.110.153",
"severity": "HIGH"
},
{
"attempts": 146,
"ip": "198.51.100.24",
"severity": "HIGH"
},
{
"attempts": 141,
"ip": "176.58.123.77",
"severity": "HIGH"
},
{
"attempts": 7,
"ip": "192.168.1.10",
"severity": "HIGH"
},
{
"attempts": 208,
"ip": "45.83.12.91",
"severity": "HIGH"
},
{
"attempts": 171,
"ip": "103.214.5.17",
"severity": "HIGH"
},
{
"attempts": 2,
"ip": "172.16.0.4",
"severity": "LOW"
},
{
"attempts": 1,
"ip": "192.168.1.5",
"severity": "LOW"
},
{
"attempts": 38,
"ip": "91.92.109.43",
"severity": "HIGH"
},
{
"attempts": 4,
"ip": "10.0.0.22",
"severity": "MEDIUM"
}
],
"failed_by_ip": {
"10.0.0.22": 4,
"10.0.0.8": 3,
"103.214.5.17": 171,
"172.16.0.4": 2,
"176.58.123.77": 141,
"185.199.110.153": 160,
"192.168.1.10": 7,
"192.168.1.5": 1,
"198.51.100.24": 146,
"45.83.12.91": 208,
"91.92.109.43": 38
},
"summary": {
"accepted_events": 30,
"failed_events": 881,
"lines_read": 1000,
"parsed_events": 1000
}
}
- This project is designed to help me learn:
- How Linux authentication logs work
- How SSH login attempts are recorded
- How brute-force behavior appears in logs
- How to extract structured security data from raw text
- How basic security monitoring tools are built
- The
sample_auth.logfile used for testing was generated using AI-assisted tools to resemble realistic Linux authentication logs.- No real users, systems, or productions logs were used
- No real credentials or sensitive data are included
- The data is inteneded solely for development and demostration purposes