Log Watcher Lite is a Python-based mini SOC tool that scans system authentication logs (auth.log) for signs of suspicious activity like failed logins, brute force attempts, and logins from blacklisted IP addresses.
This project simulates the early steps of log analysis, often performed in real-world Security Operations Centers (SOCs), and is built to reinforce key cybersecurity analyst skills.
- Detects:
- Multiple failed SSH login attempts
- Logins from blacklisted IPs
- Privilege escalation via
sudo - Brute-force attacks (3+ failed logins from the same IP)
- Outputs alerts in a structured
.csvfile - Clean and customizable Python code
|-----logs/
| ----- sample_auth.log
|-----blacklist.txt
|-----parser.py
|-----alerts.csv (generated)
|-----README.md
- Clone the repository:
git clone https://github.com/black-asuna/log-watcher-lite.git- Run the script:
python parser.py- View alerts.csv for detection output.
When the script is run on the included log file, the tool generates this alert summary:
| Event Type | Source IP |
|---|---|
| Failed Login | 192.168.1.4 |
| Failed Login | 192.168.1.4 |
| Failed Login | 192.168.1.4 |
| Failed Login | 45.67.89.123 |
| Privilege Escalation | N/A |
| Brute Force Suspected | 192.168.1.4 |
The output is saved as alerts.csv and can be opened in any spreadsheet program or parsed by other automation tools.
This project was created to demonstrate:
- Log parsing and pattern detection
- API-free cybersecurity scripting
- Realistic simulation of SOC alerting logic
- Command line automation and output handling
Soeli Llinas
Aspiring Cybersecurity Analyst | Python & Threat Intelligence Enthusiast
| Gurabo, PR | 🌐 LinkedIn
- Detect brute-force attempts by IP over time
- Flag privilege escalation from unusual accounts
- Extend support for real-time log monitoring
MIT License