How I Built a Log Analysis Tool to Detect Network Anomalies
When I started this project, I wanted to build something that actually does something, not another todo app or weather widget. I'm a third-year CS student at TMU, and I wanted a portfolio project that would make a security engineer say, "Oh, that's interesting."
The result is Log Sentinel, a log analysis dashboard that parses Apache server logs, detects suspicious patterns, scores threats by risk level, and explains every detection in plain English. Here's how I built it:
The Problem with Most Log Analysis Tools
Most tools tell you what was flagged. They show you a table of IPs and error codes. But they don't tell you why it's suspicious or what to do about it. I wanted Log Sentinel to be different.
Every flagged event generates a plain-English explanation like:
"This IP made 40 failed login attempts on /login. Normal users fail 1-2 times at most. This volume strongly suggests an automated brute force attack."
This makes the tool readable by non-technical stakeholders, not just security engineers.
The Detection Logic
I built four rule-based anomaly detectors using Python and pandas:
- Brute force detection: if the same IP makes more than 10 failed login attempts (HTTP 401 on
/login), it gets flagged. Real brute force attacks look exactly like this: hundreds of automated requests hitting the same endpoint. - Directory scanning: attackers use automated tools to probe servers for hidden files like
/.env,/admin,/config.php. Each probe returns a 404. I flag any IP generating more than 10 404 errors. - Server error spikes: repeated 500 errors from the same IP often mean someone is sending malformed requests, possibly attempting injection attacks. I flag IPs causing more than 5 server errors.
- Off-hours traffic: legitimate users are rarely active at 3 am. Any traffic between midnight and 6 am gets flagged as inherently suspicious, regardless of volume.
Each detector returns a pandas DataFrame with the flagged IP, the count that triggered it, and an auto-generated explanation built from the actual numbers.
The Risk Scoring System
Different attack types carry different weights. I assigned base scores based on severity:
- Brute force: 80 points
- Server error spike: 60 points
- Directory scanning: 40 points
- Off-hours traffic: 30 points
If one IP triggers multiple detectors, the scores stack. An IP doing brute force during off-hours gets 110 points, automatically labelled Critical. This makes the dashboard immediately scannable: biggest threats at the top, explained in plain English.
The Technical Stack
The backend is Python and Flask. pandas handles all the log parsing and aggregation; groupby operations make it easy to count events per IP, calculate hourly averages, and flag statistical outliers.
The frontend is a single HTML file with a terminal aesthetic, matrix rain animation, monospace font, and green-on-black colour scheme. I built the timeline chart from scratch using HTML divs instead of Chart.js, which gave me more control over the animations and styling.
The whole thing is deployed on Render (backend) and GitHub Pages (frontend), with a /api/demo endpoint that generates sample attack data so anyone can see it working instantly without uploading a file.
What I'd Build Next
The rule-based detectors work well, but they have fixed thresholds. The next evolution would be replacing them with scikit-learn's Isolation Forest, an unsupervised anomaly detection algorithm that learns what "normal" traffic looks like and flags statistical outliers automatically.
I'd also add an SQLite database to store analysis history, so you can track whether the same IP appears across multiple sessions.
Try It Yourself
The live demo is at atenahfr.github.io/log-sentinel/frontend/index.html - click Load Demo and the full threat report appears instantly. The full source code is on GitHub.
Comments
No comments yet. Start the discussion.