Replace config.py with .env for Docker-standard configuration
Config was a Python file baked into the image or bind-mounted, requiring a rebuild or manual file management for any settings change. Now uses env_file in docker-compose with os.environ.get() calls, so config changes only need a container restart. Also filters Gitea traffic from LLM analysis to prevent false positive reconnaissance alerts on normal repository browsing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
98
README.md
Normal file
98
README.md
Normal file
@@ -0,0 +1,98 @@
|
||||
# Web Log Security Monitor
|
||||
|
||||
Analyzes Traefik access logs using a local LLM (llama.cpp) and sends alerts via Gotify when suspicious activity is detected.
|
||||
|
||||
## Docker Setup (Recommended)
|
||||
|
||||
Run alongside Traefik on barge.lan:
|
||||
|
||||
1. Copy the project to barge:
|
||||
```bash
|
||||
scp -r . barge.lan:/mnt/docker/web-log-monitor/
|
||||
```
|
||||
|
||||
2. Create config from Docker template:
|
||||
```bash
|
||||
ssh barge.lan
|
||||
cd /mnt/docker/web-log-monitor
|
||||
cp config.docker.py config.py
|
||||
nano config.py # Add your GOTIFY_TOKEN
|
||||
```
|
||||
|
||||
3. Start the container:
|
||||
```bash
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
4. View logs:
|
||||
```bash
|
||||
docker logs -f web-log-monitor
|
||||
```
|
||||
|
||||
## Standalone Setup
|
||||
|
||||
For running on athena.lan (via SSH to barge):
|
||||
|
||||
1. Copy the config file and add your Gotify token:
|
||||
```bash
|
||||
cp config.example.py config.py
|
||||
nano config.py # Add your GOTIFY_TOKEN
|
||||
```
|
||||
|
||||
2. Test manually:
|
||||
```bash
|
||||
python3 web-log-monitor.py --verbose --dry-run
|
||||
```
|
||||
|
||||
3. Add to cron (hourly):
|
||||
```bash
|
||||
crontab -e
|
||||
# Add: 0 * * * * cd /path/to/web-log-monitor && python3 web-log-monitor.py
|
||||
```
|
||||
|
||||
## Configuration
|
||||
|
||||
Edit `config.py`:
|
||||
|
||||
| Setting | Description |
|
||||
|---------|-------------|
|
||||
| `LLAMA_URL` | llama.cpp server endpoint |
|
||||
| `MODEL` | Model name to use |
|
||||
| `GOTIFY_URL` | Gotify server URL |
|
||||
| `GOTIFY_TOKEN` | Gotify app token |
|
||||
| `LOG_MODE` | `"local"` or `"ssh"` |
|
||||
| `LOG_PATH` | Path to access.log |
|
||||
| `BARGE_HOST` | SSH host (only for ssh mode) |
|
||||
| `STATE_DIR` | Directory for state file |
|
||||
| `BATCH_SIZE` | Lines per LLM call |
|
||||
| `MAX_LINES_PER_RUN` | Max lines per execution |
|
||||
|
||||
## Command Line Options
|
||||
|
||||
```
|
||||
python3 web-log-monitor.py [OPTIONS]
|
||||
|
||||
-v, --verbose Show detailed log statistics
|
||||
--dry-run Analyze without sending alerts or updating state
|
||||
```
|
||||
|
||||
## How It Works
|
||||
|
||||
1. Reads new logs (local file or via SSH)
|
||||
2. Checks for obvious attack patterns (immediate alerts)
|
||||
3. Filters noise (health checks, static assets)
|
||||
4. Sends remaining logs to LLM for analysis
|
||||
5. Consolidates findings and alerts via Gotify
|
||||
|
||||
## Files
|
||||
|
||||
```
|
||||
├── Dockerfile
|
||||
├── docker-compose.yml
|
||||
├── config.py # Your config (gitignored)
|
||||
├── config.example.py # Template for standalone
|
||||
├── config.docker.py # Template for Docker
|
||||
├── requirements.txt
|
||||
├── web-log-monitor.py
|
||||
└── systemd/ # Optional systemd units
|
||||
```
|
||||
Reference in New Issue
Block a user