Skip to content

ayamagedd/WebLogForensics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
log_forensics.py
log_forensics.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation



🔍 Web Server Log Forensics Analyzer

Detect. Classify. Report.

A Python + Streamlit tool for analyzing Apache/Nginx access logs and identifying malicious activity, attack patterns, and threat actors.


✨ Features · 🚨 Detections · 🚀 Getting Started · 📸 Screenshots · 📄 Reports

📌 Overview

Web Server Log Forensics Analyzer is a security tool built with Python and Streamlit that allows analysts to upload raw Apache or Nginx access logs and instantly receive a full forensic analysis. The tool automatically detects common web attacks, identifies threat actors, classifies severity levels, and generates a downloadable forensics report — all through a clean web interface.

Built as part of a Web & Security course, demonstrating real-world log forensics, attack pattern recognition, and threat classification techniques.

✨ Features

  • 📂 Upload any Apache/Nginx access log — up to 200MB
  • 🔎 Automatic attack detection across 8 attack categories
  • 🚨 Threat actor classification with severity levels (HIGH / MEDIUM)
  • 📊 Visual dashboards — top IPs, HTTP status code distribution
  • 📄 Downloadable forensics report (.txt)
  • 📊 GoAccess HTML dashboard integration
  • ⚙️ Configurable thresholds (e.g. brute force sensitivity)
  • 🧠 Indicators of Compromise (IOCs) extraction
  • 💡 Actionable security recommendations in every report

🚨 Attack Detections

Attack Type Description
💉 SQL Injection Detects UNION, SELECT, DROP, sleep(), benchmark() and other SQLi payloads in URLs
🖥️ XSS Identifies <script>, onerror, document.cookie, eval() and encoded variants
🔐 Brute Force Flags IPs with repeated POST requests to /login, /wp-login, /admin
🐚 Webshell Hunting Detects probes for known webshells: c99.php, r57.php, b374k, wso.php
📁 Sensitive File Access Catches attempts to access .env, .aws/credentials, wp-config.php, backup.sql
🔍 Directory Scanning Identifies IPs generating excessive 404 errors (automated scanning behavior)
🎭 URL Evasion Detects heavy URL encoding used to bypass WAF/IDS rules
🤖 Suspicious User Agents Flags known attack tools: sqlmap, nikto, masscan, zgrab, nmap

🚀 Getting Started

Prerequisites

  • Python 3.8+
  • pip
  • GoAccess (optional, for HTML dashboard generation)

Installation

# 1. Clone the repository
git clone https://github.com/ayamagedd/log-forensics-analyzer.git
cd log-forensics-analyzer

# 2. Install dependencies
pip install -r requirements.txt

# 3. Run the app
streamlit run log_forensics.py

Dependencies

streamlit
pandas

Install GoAccess separately for the HTML dashboard feature:

sudo apt install goaccess   # Linux
brew install goaccess        # macOS

🖥️ Usage

  1. Open the app in your browser (http://localhost:8501)
  2. Set your Brute Force Threshold in the sidebar (default: 20 requests)
  3. Click Upload and select your Apache/Nginx .log file
  4. The tool automatically analyzes and displays:
    • Overview metrics (total requests, unique IPs, threats found)
    • Detection results per attack category
    • Flagged threat actors table with severity
    • IP address and status code charts
    • Full forensics report
  5. Download the .txt report or GoAccess HTML dashboard

📸 Screenshots

Upload Interface

Upload Interface

Overview Dashboard

Overview Dashboard

Flagged Threat Actors

Threat Actors

Full Forensics Report

Forensics Report

📄 Report Output

Every analysis generates a structured forensics report containing:

======================================================================
WEB SERVER LOG FORENSICS REPORT
======================================================================
Generated: 2026-05-24 ...

GENERAL STATISTICS
- Total Requests
- Unique IPs
- 404 Errors

DETECTION RESULTS
- SQL Injection Attempts
- XSS Attempts
- Brute Force IPs
- Scanning IPs
- Sensitive File Access
- Webshell Probes
- Evasion Attempts

THREAT ACTORS
- IP | Severity | Threat Type

INDICATORS OF COMPROMISE (IOCs)
- Malicious IPs with threat classification
- Sensitive paths confirmed to exist

RECOMMENDATIONS
- Actionable firewall, WAF, and server hardening steps
======================================================================

🗂️ Project Structure

log-forensics-analyzer/
├── log_forensics.py        # Main Streamlit application
├── requirements.txt        # Python dependencies
├── README.md               # Project documentation
├── screenshots/            # UI screenshots
└── sample_logs/            # Sample log files for testing (optional)

🔒 Security Patterns Reference

SQL Injection Keywords Detected

union · select · insert · drop · exec · 1=1 · -- · sleep() · benchmark() · xp_cmdshell · information_schema

XSS Patterns Detected

<script> · javascript: · onerror · onload · alert() · %3cscript · document.cookie · eval()

Webshells Detected

c99.php · r57.php · shell.php · b374k · wso.php · zwso.php · filemanager.php · backdoor

Suspicious Agents Detected

sqlmap · nikto · masscan · nmap · zgrab · curl · python-requests · go-http-client

👨‍💻 Author

Aya Magedd

📄 License

This project is licensed under the MIT License — see the LICENSE file for details.

Made with 🐍 Python · Built for the Web & Security Course

⭐ Star this repo if you found it useful!

About

Python + Streamlit tool for analyzing Apache/Nginx access logs — detects SQLi, XSS, brute force, webshells, and credential harvesting. Generates full forensics reports with IOCs and recommendations.

Topics

python security log-analysis forensics cybersecurity streamlit

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages