aj/web-log-monitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
web-log-monitor/README.md
AJ Isaacs e3ee9fc193 Replace config.py with .env for Docker-standard configuration 
Config was a Python file baked into the image or bind-mounted, requiring
a rebuild or manual file management for any settings change. Now uses
env_file in docker-compose with os.environ.get() calls, so config
changes only need a container restart. Also filters Gitea traffic from
LLM analysis to prevent false positive reconnaissance alerts on normal
repository browsing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 19:29:09 -05:00

2.3 KiB
Raw Permalink Blame History

Web Log Security Monitor

Analyzes Traefik access logs using a local LLM (llama.cpp) and sends alerts via Gotify when suspicious activity is detected.

Docker Setup (Recommended)

Run alongside Traefik on barge.lan:

  1. Copy the project to barge:

    scp -r . barge.lan:/mnt/docker/web-log-monitor/

  2. Create config from Docker template:

    ssh barge.lan
cd /mnt/docker/web-log-monitor
cp config.docker.py config.py
nano config.py  # Add your GOTIFY_TOKEN

  3. Start the container:

    docker compose up -d

  4. View logs:

    docker logs -f web-log-monitor

Standalone Setup

For running on athena.lan (via SSH to barge):

  1. Copy the config file and add your Gotify token:

    cp config.example.py config.py
nano config.py  # Add your GOTIFY_TOKEN

  2. Test manually:

    python3 web-log-monitor.py --verbose --dry-run

  3. Add to cron (hourly):

    crontab -e
# Add: 0 * * * * cd /path/to/web-log-monitor && python3 web-log-monitor.py

Configuration

Edit config.py:

Setting Description
LLAMA_URL llama.cpp server endpoint
MODEL Model name to use
GOTIFY_URL Gotify server URL
GOTIFY_TOKEN Gotify app token
LOG_MODE "local" or "ssh"
LOG_PATH Path to access.log
BARGE_HOST SSH host (only for ssh mode)
STATE_DIR Directory for state file
BATCH_SIZE Lines per LLM call
MAX_LINES_PER_RUN Max lines per execution

Command Line Options

python3 web-log-monitor.py [OPTIONS]

  -v, --verbose  Show detailed log statistics
  --dry-run      Analyze without sending alerts or updating state

How It Works

  1. Reads new logs (local file or via SSH)
  2. Checks for obvious attack patterns (immediate alerts)
  3. Filters noise (health checks, static assets)
  4. Sends remaining logs to LLM for analysis
  5. Consolidates findings and alerts via Gotify

Files

├── Dockerfile
├── docker-compose.yml
├── config.py              # Your config (gitignored)
├── config.example.py      # Template for standalone
├── config.docker.py       # Template for Docker
├── requirements.txt
├── web-log-monitor.py
└── systemd/               # Optional systemd units
Reference in New Issue View Git Blame Copy Permalink