In [15]:
import pandas as pd
import re
from datetime import datetime
import numpy as np
from urllib.parse import urlparse

# Corrected: removed duplicate 'dest_domain'
REQUIRED_COLUMNS = [
    'timestamp', 'user', 'action', 'description', 'protocol', 'url', 'method',
    'source_ip', 'dest_ip', 'dest_domain', 'client_ip', 'source_port',
    'dest_port', 'severity', 'host', 'rule_name', 'app', 'category',
    'bytes_sent', 'bytes_received', 'threat_id', 'user_agent', 'eventid',
    'workstation', 'privilege', 'object', 'accessmask', 'target', 'status',
    'reason', 'process', 'parentprocess', 'fileaccessed', 'alert', 'machine',
    'os', 'details', 'resource', 'hostname', 'location', 'facility', 'code',
    'message', 'event', 'file', 'verdict', 'log_type'
]

def clean_csv_log(file_path, log_type):
    try:
        df = pd.read_csv(file_path)
        df.dropna(how='all', inplace=True)
        df.columns = [col.strip().lower().replace(' ', '_') for col in df.columns]
        df['log_type'] = log_type
        return df
    except Exception as e:
        print(f"[!] Error reading {file_path}: {e}")
        return pd.DataFrame(columns=REQUIRED_COLUMNS)

def normalize_timestamp(ts):
    try:
        return datetime.strptime(ts, '%Y-%m-%d %H:%M:%S').isoformat()
    except Exception:
        return None

def clean_ip_column(ip):
    ip_pattern = r'^(\d{1,3}\.){3}\d{1,3}$'
    if isinstance(ip, str) and re.match(ip_pattern, ip):
        return ip
    return np.nan

def clean_domain_column(domain):
    domain_pattern = r'^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    if isinstance(domain, str) and re.match(domain_pattern, domain):
        return domain.lower()
    return np.nan

def map_ad_columns(df):
    ip_fields = ['client_ip', 'client_address', 'ip_address', 'ip']
    client_ip_col = next((col for col in ip_fields if col in df.columns), None)
    
    if client_ip_col:
        df['client_ip'] = df[client_ip_col]
    else:
        df['client_ip'] = None

    col_map = {
        'user': 'user',
        'description': 'description',
        'timestamp': 'timestamp'
    }
    col_map = {k: v for k, v in col_map.items() if k in df.columns}
    df = df.rename(columns=col_map)
    return df

def map_proxy_columns(df):
    ip_fields = ['client', 'client_ip', 'source_ip', 'ip']
    for field in ip_fields:
        if field in df.columns:
            df['client_ip'] = df[field].astype(str).str.extract(r'(\d{1,3}(?:\.\d{1,3}){3})')[0]
            break
    else:
        df['client_ip'] = None

    if 'url' in df.columns:
        df['hostname'] = df['url'].apply(lambda x: urlparse(str(x)).hostname if pd.notnull(x) else None)

    return df

def map_firewall_columns(df):
    if 'dest_ip' in df.columns:
        df['dest_domain'] = df['dest_ip'].apply(
            lambda x: x if isinstance(x, str) and not re.match(r'^(\d{1,3}\.){3}\d{1,3}$', x) else np.nan
        )
        df['dest_ip'] = df['dest_ip'].apply(clean_ip_column)
    return df

# Define your input files
log_files = {
    "firewall": "./logs/firewall_logs.csv",
    "proxy": "./logs/proxy3_logs.csv",
    "ad": "./logs/ad_logs.csv",
    "edr": "./logs/edr_logs.csv",
    "iam": "./logs/iam_logs.csv",
    "mail": "./logs/mail2_logs.csv",
    "router": "./logs/router_logs.csv",
    "user": "./logs/user.csv",
    "siem": "./logs/siem_logs.csv"
}

dataframes = []
for log_type, file_path in log_files.items():
    df = clean_csv_log(file_path, log_type)

    if df.empty:
        continue

    if log_type == 'ad':
        df = map_ad_columns(df)
    elif log_type == 'proxy':
        df = map_proxy_columns(df)
    elif log_type == 'firewall':
        df = map_firewall_columns(df)
    else:
        df['client_ip'] = None
        df['dest_domain'] = None

    # Ensure all required columns exist
    for col in REQUIRED_COLUMNS:
        if col not in df.columns:
            df[col] = None

    df = df[REQUIRED_COLUMNS]  # Reorder and limit columns
    dataframes.append(df)

# Concatenate all processed logs
final_dataset = pd.concat(dataframes, ignore_index=True)

# Normalize timestamps
final_dataset['timestamp'] = final_dataset['timestamp'].apply(normalize_timestamp)

# Clean IP fields
for ip_col in ['source_ip', 'dest_ip', 'client_ip']:
    final_dataset[ip_col] = final_dataset[ip_col].apply(clean_ip_column)

# Clean domain fields
final_dataset['domain'] = final_dataset['hostname'].apply(clean_domain_column)
final_dataset['dest_domain'] = final_dataset['dest_domain'].apply(clean_domain_column)

# Drop temporary hostname column
final_dataset.drop(columns=['hostname'], inplace=True)

# Save final output
final_dataset.to_csv("final_normalized_logs.csv", index=False)
print("[✓] All logs cleaned, normalized, and saved to final_normalized_logs.csv")

[✓] All logs cleaned, normalized, and saved to final_normalized_logs.csv


  final_dataset = pd.concat(dataframes, ignore_index=True)


In [16]:
import pandas as pd
import numpy as np

# Load dataset
df = pd.read_csv("final_normalized_logs.csv")

# Normalize column names
df.columns = df.columns.str.strip().str.lower().str.replace(' ', '_')

# Drop fully empty rows and columns
df.dropna(how='all', inplace=True)
df.dropna(axis=1, how='all', inplace=True)

# Clean string fields (except some text fields)
exclude_clean = ['user_agent', 'url', 'fileaccessed', 'message']
for col in df.select_dtypes(include='object').columns:
    if col not in exclude_clean:
        df[col] = df[col].astype(str).str.strip().str.lower()

# Convert and clean timestamp
if 'timestamp' in df.columns:
    df['timestamp'] = pd.to_datetime(df['timestamp'], errors='coerce')
    df = df[df['timestamp'].notna()]

# Clean and standardize event ID fields
for field in ['eventid', 'threat_id']:
    if field in df.columns:
        df[field] = df[field].replace(['', ' ', 'nan', 'None', None], pd.NA).fillna(-1)
        try:
            df[field] = df[field].astype(int)
        except:
            pass

# IP fields cleanup
ip_fields = ['source_ip', 'dest_ip', 'client_ip']
for col in ip_fields:
    if col in df.columns:
        df[col] = df[col].astype(str).str.extract(r'(\d{1,3}(?:\.\d{1,3}){3})')[0].fillna('0.0.0.0')

# Port cleanup: convert to int, replace 0 with -1
for port in ['source_port', 'dest_port']:
    if port in df.columns:
        df[port] = pd.to_numeric(df[port], errors='coerce').fillna(0).astype(int)
        df[port] = df[port].replace(0, -1)

# Clean bytes sent/received
for col in ['bytes_sent', 'bytes_received']:
    if col in df.columns:
        df[col] = pd.to_numeric(df[col], errors='coerce').fillna(0).astype(int)

# Normalize categorical fields
cat_fields = ['action', 'severity', 'verdict', 'log_type', 'category', 'protocol']
for col in cat_fields:
    if col in df.columns:
        df[col] = df[col].replace({'none': np.nan, 'na': np.nan, 'null': np.nan}).fillna('unknown')

# Fill general missing values with defaults
df.fillna({
    'user': 'unknown',
    'app': 'unknown',
    'rule_name': 'unknown',
    'host': 'unknown',
    'workstation': 'unknown',
    'privilege': 'unknown',
    'event': 'unknown',
    'status': 'unknown',
    'alert': 'none',
    'machine': 'unknown',
    'os': 'unknown',
    'domain': 'unknown',
    'location': 'unknown',
    'reason': 'unspecified',
    'accessmask': 'unknown',
}, inplace=True)

# Fill specific content/logging fields
text_fill = {
    'url': 'unknown_url',
    'user_agent': 'unknown_agent',
    'fileaccessed': 'none',
    'message': 'no_message',
}
for col, default in text_fill.items():
    if col in df.columns:
        df[col] = df[col].fillna(default).replace('nan', default).replace('', default)

# Reorder columns for readability
preferred_order = [
    'timestamp', 'eventid', 'threat_id', 'user', 'severity', 'log_type',
    'source_ip', 'source_port', 'dest_ip', 'dest_port', 'client_ip', 'dest_domain',
    'protocol', 'action', 'verdict', 'category', 'app', 'rule_name',
    'bytes_sent', 'bytes_received', 'url', 'method', 'user_agent',
    'description', 'fileaccessed', 'host', 'workstation', 'privilege',
    'object', 'accessmask', 'target', 'status', 'reason',
    'process', 'parentprocess', 'alert', 'machine', 'os', 'event', 'file',
    'facility', 'code', 'message', 'details', 'resource', 'location', 'domain'
]
existing = [col for col in preferred_order if col in df.columns]
extra = [col for col in df.columns if col not in existing]
df = df[existing + extra]

# Remove duplicates
df.drop_duplicates(inplace=True)

# Save to CSV
df.to_csv("final_logs_cleaned_and_organized.csv", index=False)
print("✅ Cleaned and organized log saved as 'final_logs_cleaned_and_organized.csv'")


✅ Cleaned and organized log saved as 'final_logs_cleaned_and_organized.csv'
