## 1. Count Requests per IP Address:

In [7]:
from collections import Counter

# Path to the log file
file_path = r"C:\Users\DELL\Downloads\online_game\sample.log"

# Parse the log file and extract IP addresses
ip_addresses = []
with open(file_path, 'r') as file:
    for line in file:
        if line.strip():  # Ignore empty lines
            ip_address = line.split()[0]  # IP address is the first element in the log
            ip_addresses.append(ip_address)

# Count requests per IP address
ip_count = Counter(ip_addresses)

# Sort by request count in descending order
sorted_ip_count = sorted(ip_count.items(), key=lambda x: x[1], reverse=True)

# Display the results
print(f"{'IP Address':<20}{'Request Count':<15}")
print("-" * 35)
for ip, count in sorted_ip_count:
    print(f"{ip:<20}{count:<15}")


IP Address          Request Count  
-----------------------------------
203.0.113.5         8              
198.51.100.23       8              
192.168.1.1         7              
10.0.0.2            6              
192.168.1.100       5              


1. The count of requests given to each IP address is 
- IP Address   ----       Request Count  
- 203.0.113.5    ----     8              
- 198.51.100.23  ----    8              
- 192.168.1.1   -----    7  

## 2. Identify the Most Frequently Accessed Endpoint:

In [9]:
from collections import Counter
import re

# Path to the log file
file_path = r"C:\Users\DELL\Downloads\online_game\sample.log"

# Parse the log file and extract endpoints
endpoints = []
with open(file_path, 'r') as file:
    for line in file:
        if line.strip():  # Ignore empty lines
            match = re.search(r'\"[A-Z]+\s(/[^ ]*)\sHTTP/1\.[01]\"', line)
            if match:
                endpoints.append(match.group(1))

# Count requests per endpoint
endpoint_count = Counter(endpoints)

# Find the most frequently accessed endpoint
most_frequent_endpoint = endpoint_count.most_common(1)[0]

# Display the result
print("Most Frequently Accessed Endpoint:")
print(f"{most_frequent_endpoint[0]} (Accessed {most_frequent_endpoint[1]} times)")


Most Frequently Accessed Endpoint:
/login (Accessed 13 times)


2. The Most Frequently Accessed Endpoint from the sample is:
- /login (Accessed is 13 times)

## 3. Detect Suspicious Activity:

In [2]:
from collections import Counter

# Path to the log file
file_path = r"C:\Users\DELL\Downloads\online_game\sample.log"

# Configurable threshold for failed login attempts
threshold = 10

# Extract IP addresses for failed login attempts (status code 401 or failure message)
failed_logins = []
with open(file_path, 'r') as file:
    for line in file:
        if line.strip():  # Ignore empty lines
            parts = line.split('"')  # Split by quotes to isolate the request part
            if len(parts) > 2:  # Ensure log line has enough parts
                ip_address = line.split()[0]  # Extract IP address
                status_code = line.split()[-2]  # Extract status code
                if status_code == "401" or "Invalid credentials" in line:
                    failed_logins.append(ip_address)

# Count failed login attempts per IP address
failed_login_count = Counter(failed_logins)

# Filter IPs exceeding the threshold
suspicious_ips = {ip: count for ip, count in failed_login_count.items() if count > threshold}

# Display the results
if suspicious_ips:
    print("Suspicious Activity Detected:")
    print(f"{'IP Address':<20}{'Failed Login Attempts':<20}")
    print("-" * 40)
    for ip, count in suspicious_ips.items():
        print(f"{ip:<20}{count:<20}")
else:
    print("No suspicious activity detected.")


No suspicious activity detected.


- The script found no suspicious IP addresses exceeding the threshold of 10 failed login attempts.

- This means there were no IP addresses in the log file with more than 10 failed login attempts (401 status code or "Invalid credentials" messages)

## 4. Output Results:

In [10]:
import csv
from collections import Counter

# Path to the log file
file_path = r"C:\Users\DELL\Downloads\online_game\sample.log"

# Configurable threshold for suspicious activity
threshold = 5 # default

# Analyze requests per IP address
ip_addresses = []
endpoints = []
failed_logins = []

with open(file_path, 'r') as file:
    for line in file:
        if line.strip():  # Ignore empty lines
            parts = line.split('"')  # Split by quotes to isolate the request part
            ip_address = line.split()[0]  # IP address is the first part of the log
            ip_addresses.append(ip_address)

            # Extract endpoints
            if len(parts) > 1:
                request = parts[1].split()
                if len(request) > 1:
                    endpoints.append(request[1])

            # Identify failed logins (401 or invalid credentials)
            if len(parts) > 2:
                status_code = line.split()[-2]  # HTTP status code
                if status_code == "401" or "Invalid credentials" in line:
                    failed_logins.append(ip_address)

# Count occurrences
ip_count = Counter(ip_addresses)
endpoint_count = Counter(endpoints)
failed_login_count = Counter(failed_logins)

# Most accessed endpoint
most_frequent_endpoint, access_count = endpoint_count.most_common(1)[0]

# Filter suspicious IPs
suspicious_ips = {ip: count for ip, count in failed_login_count.items() if count > threshold}

# Display results in terminal
print("\nRequests per IP Address:")
print(f"{'IP Address':<20}{'Request Count':<15}")
print("-" * 35)
for ip, count in ip_count.items():
    print(f"{ip:<20}{count:<15}")

print("\nMost Frequently Accessed Endpoint:")
print(f"{most_frequent_endpoint} (Accessed {access_count} times)")

print("\nSuspicious Activity Detected:")
print(f"{'IP Address':<20}{'Failed Login Attempts':<20}")
print("-" * 40)
for ip, count in suspicious_ips.items():
    print(f"{ip:<20}{count:<20}")

# Save results to CSV
csv_file = r"C:\Users\DELL\Downloads\online_game\log_analysis_results.csv"

with open(csv_file, 'w', newline='') as file:
    writer = csv.writer(file)

    # Write requests per IP
    writer.writerow(["Requests per IP"])
    writer.writerow(["IP Address", "Request Count"])
    for ip, count in ip_count.items():
        writer.writerow([ip, count])

    writer.writerow([])  # Blank row for separation

    # Write most accessed endpoint
    writer.writerow(["Most Accessed Endpoint"])
    writer.writerow(["Endpoint", "Access Count"])
    writer.writerow([most_frequent_endpoint, access_count])

    writer.writerow([])  # Blank row for separation

    # Write suspicious activity
    writer.writerow(["Suspicious Activity"])
    writer.writerow(["IP Address", "Failed Login Count"])
    for ip, count in suspicious_ips.items():
        writer.writerow([ip, count])

print(f"\nResults saved to {csv_file}")



Requests per IP Address:
IP Address          Request Count  
-----------------------------------
192.168.1.1         7              
203.0.113.5         8              
10.0.0.2            6              
198.51.100.23       8              
192.168.1.100       5              

Most Frequently Accessed Endpoint:
/login (Accessed 13 times)

Suspicious Activity Detected:
IP Address          Failed Login Attempts
----------------------------------------
203.0.113.5         8                   

Results saved to C:\Users\DELL\Downloads\online_game\log_analysis_results.csv


- Results saved in log_analysis_results.csv containing:
- IP addresses and their request counts.
- Most accessed endpoint with its count.
- Suspicious IPs with failed login counts.