In [52]:
import csv
from collections import Counter

def analyze_log(file_path):
    ip_counts = Counter()
    endpoint_counts = Counter()
    suspicious_ips = Counter()
    
    with open(file_path, 'r') as file:
        for line in file:
            parts = line.split()  # Assuming space-separated log format
            if len(parts) > 8:  # Ensure there are enough elements
                ip = parts[0]
                endpoint = parts[6]
                status_code = parts[-3]  # Adjusted based on log structure

                # Count requests by IP and endpoint
                ip_counts[ip] += 1
                endpoint_counts[endpoint] += 1

                # Detect suspicious activity (failed login attempts)
                if "Invalid credentials" in line or status_code.startswith("401"):
                    suspicious_ips[ip] += 1

    # Filter suspicious IPs by threshold
    flagged_ips = {ip: count for ip, count in suspicious_ips.items() if count>0}
    return ip_counts, endpoint_counts, flagged_ips

# Save results to a CSV file
def save_to_csv(ip_counts, endpoint_counts, flagged_ips, output_file):
    with open(output_file, 'w', newline='') as csvfile:
        csvwriter = csv.writer(csvfile)

        # Write Requests per IP
        csvwriter.writerow(["Requests per IP"])
        csvwriter.writerow(["IP Address", "Request Count"])
        for ip, count in ip_counts.most_common():
            csvwriter.writerow([ip, count])

        # Write Most Accessed Endpoint
        csvwriter.writerow([])  # Blank line
        csvwriter.writerow(["Most Accessed Endpoint"])
        csvwriter.writerow(["Endpoint", "Access Count"])
        for endpoint, count in endpoint_counts.items():
            csvwriter.writerow([endpoint, count])

        # Write Suspicious Activity
        csvwriter.writerow([])  # Blank line
        csvwriter.writerow(["Suspicious Activity"])
        csvwriter.writerow(["IP Address", "Failed Login Count"])
        for ip, count in flagged_ips.items():
            csvwriter.writerow([ip, count])

# Main function
file_path = "C:/Users/saipa/OneDrive/Desktop/log.txt"
output_file = "C:/Users/saipa/OneDrive/Desktop/log_analysis_results.csv"

try:
    ip_counts, endpoint_counts, flagged_ips = analyze_log(file_path)

    # Display Requests per IP
    print(f"{'IP Address':<20} {'Request Count':<15}")
    for ip, count in ip_counts.most_common():
        print(f"{ip:<20} {count:<15}")

    print("\nMost Frequently Accessed Endpoint:")
    most_accessed = endpoint_counts.most_common(1)
    if most_accessed:
        print(f" {most_accessed[0][0]} (Accessed {most_accessed[0][1]} times)")

    # Display Suspicious Activity
    if flagged_ips:
        print("\nSuspicious Activity Detected:")
        print(f"{'IP Address':<20} {'Failed Login Attempts':<15}")
        for ip, count in flagged_ips.items():
            print(f"{ip:<20} {count:<15}")
    else:
        print("\nNo suspicious activity detected.")

    # Save the results to CSV
    save_to_csv(ip_counts, endpoint_counts, flagged_ips, output_file)
    print(f"\nResults saved to {output_file}")  #Check whether results saved to CSV

except FileNotFoundError:
    print("Error in Uploaded log File")

IP Address           Request Count  
203.0.113.5          8              
198.51.100.23        8              
192.168.1.1          7              
10.0.0.2             6              
192.168.1.100        5              

Most Frequently Accessed Endpoint:
 /login (Accessed 13 times)

Suspicious Activity Detected:
IP Address           Failed Login Attempts
203.0.113.5          8              
192.168.1.100        5              

Results saved to C:/Users/saipa/OneDrive/Desktop/log_analysis_results.csv
