From 1a06eeb601491dc0ecec38bbdbb061239f03c169 Mon Sep 17 00:00:00 2001
From: AJ Isaacs <ajisaacs27@gmail.com>
Date: Mon, 9 Feb 2026 21:07:59 -0500
Subject: [PATCH] Only log high/critical findings to abuse log for fail2ban

Previously all LLM-flagged findings were written to the abuse log,
causing fail2ban to potentially ban IPs for low-severity activity.
Now only high and critical severity findings trigger abuse logging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 web-log-monitor.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web-log-monitor.py b/web-log-monitor.py
index c30bc15..a45d3de 100644
--- a/web-log-monitor.py
+++ b/web-log-monitor.py
@@ -619,7 +619,8 @@ def process_batch(logs, args):
                                 )
                             except Exception as e:
                                 print(f"  Failed to record LLM finding to DB: {e}")
-                            log_abuse(ip, f.get("type", "unknown"))
+                            if f.get("severity") in ("high", "critical"):
+                                log_abuse(ip, f.get("type", "unknown"))
                 all_findings.extend(findings)
                 print(f"  LLM found suspicious activity: {result.get('summary')}")