Skip to content

alexojocyber/Python-Log-Parser

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
log_parser.py
log_parser.py
 
 

Repository files navigation

Project Overview

This project is a Python automation script that parses Linux authentication logs, automatically detects SSH brute-force attack patterns, and generates a structured incident report — no manual grep commands needed.

The goal was to automate what a SOC analyst would normally do manually, demonstrating how scripting can speed up threat detection and incident investigation.

Lab Environment

Component Details
Language Python 3.12.3
Operating System Ubuntu Linux
Log Source /var/log/auth.log
Attack Type SSH Brute Force
Detection Threshold 3+ failed attempts

How It Works

  1. Reads /var/log/auth.log automatically
  2. Scans every line for "Failed password" entries
  3. Extracts timestamp, username, and source IP from each event
  4. Groups failed attempts by IP address
  5. Flags any IP exceeding the threshold as a brute force attacker
  6. Generates a structured incident report with MITRE ATT&CK and NIST mapping

How To Run

sudo python3 log_parser.py

sudo is required to read /var/log/auth.log

Sample Output

Parsing authentication logs... SSH BRUTE FORCE DETECTION REPORT Generated: 2026-04-03 14:08:10

SUMMARY Total Failed Attempts : 7 Unique Source IPs : 1 BRUTE FORCE ALERTS (threshold: 3+ attempts) IP Address : 192.168.0.168 Total Attempts : 7 Targeted Users : {'attackeruser'} First Attempt : 2026-03-29T13:44:45 Last Attempt : 2026-03-30T03:38:19

MITRE ATT&CK: T1110 - Brute Force NIST Control : AC-7 - Unsuccessful Login Attempts

MITRE ATT&CK Mapping

Tactic Technique Description
Credential Access T1110 — Brute Force Repeated failed SSH login attempts
Credential Access T1110.001 — Password Guessing Multiple password attempts against single account

NIST Controls Mapping

Finding NIST Control Description
Brute Force Detected AC-7 Unsuccessful Login Attempts
Auth Log Monitored AU-2 Event Logging
Attack Timeline Captured SI-4 System Monitoring

Related Projects

This project is part of a complete SOC workflow:

Project Description
SSH Brute Force Detection Lab Manual SSH attack simulation and Fail2Ban defense
Enterprise SIEM Lab PAM brute force detection with MITRE ATT&CK mapping
Splunk SIEM Lab Enterprise detection dashboard using Splunk Cloud

Skills Demonstrated

  • Python scripting and automation
  • Linux log analysis
  • Incident detection and reporting
  • MITRE ATT&CK mapping
  • NIST compliance mapping
  • SOC analyst workflow automation

Author

Alex Ojo Cybersecurity Student | SOC Analyst Trainee

LinkedIn GitHub

About

Automated Python script that parses Linux auth logs to detect SSH brute force attacks and generate incident reports

Topics

python linux ubuntu brute-force-attacks brute-force socanalyst

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages