A lightweight Blue Team / SOC-style Python tool that analyzes Linux authentication logs and produces:
- Summary of failed and successful SSH logins
- Top offending IP addresses
- Top targeted usernames
- A timestamped JSON report for evidence and documentation
Works well on Ubuntu and WSL.
The tool detects possible brute-force behavior using simple thresholds:
- [MEDIUM RISK] if failed attempts from one IP/user β₯ 5
- [HIGH RISK] if failed attempts from one IP/user β₯ 15
You can tune thresholds:
python3 src/analyze_auth_log.py --ip-medium 3 --ip-high 10 --user-medium 3 --user-high 10
## π§ Tools Used
- Python 3 (stdlib only)
- Linux auth logs (`/var/log/auth.log`, `/var/log/secure`, or `/var/log/syslog`)
- Git & GitHub
---
## π Project Structure
```text
auth-log-analyzer/
βββ README.md
βββ requirements.txt
βββ reports/
β βββ auth_report_YYYY-MM-DD_HH-MM.json
βββ src/
βββ analyze_auth_log.py