aj/web-log-monitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
b13e69a44f2eb830f766c577f305599380c6e5b1
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
aj b13e69a44f Reduce false positives from legitimate service traffic 
Fix .git/ regex pattern to require leading slash, preventing Gitea
git-protocol URLs from triggering "Sensitive File Probe" alerts.
Add infrastructure context to the LLM system prompt describing
Gitea, Nextcloud, Immich, and Gotify traffic patterns so the
LLM does not flag normal self-hosted service activity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 21:07:37 -05:00
systemd
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
.env.example
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
.gitignore
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
docker-compose.yml
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
Dockerfile
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
README.md
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
requirements.txt
Replace config.py with .env for Docker-standard configuration
2026-02-08 19:29:09 -05:00
threat_db.py
Normalize attack_type to lowercase in record_event
2026-02-09 15:08:20 -05:00
web-log-monitor.py
Reduce false positives from legitimate service traffic
2026-02-09 21:07:37 -05:00

README.md

Web Log Security Monitor

Analyzes Traefik access logs using a local LLM (llama.cpp) and sends alerts via Gotify when suspicious activity is detected.

Docker Setup (Recommended)

Run alongside Traefik on barge.lan:

  1. Copy the project to barge:

    scp -r . barge.lan:/mnt/docker/web-log-monitor/

  2. Create config from Docker template:

    ssh barge.lan
cd /mnt/docker/web-log-monitor
cp config.docker.py config.py
nano config.py  # Add your GOTIFY_TOKEN

  3. Start the container:

    docker compose up -d

  4. View logs:

    docker logs -f web-log-monitor

Standalone Setup

For running on athena.lan (via SSH to barge):

  1. Copy the config file and add your Gotify token:

    cp config.example.py config.py
nano config.py  # Add your GOTIFY_TOKEN

  2. Test manually:

    python3 web-log-monitor.py --verbose --dry-run

  3. Add to cron (hourly):

    crontab -e
# Add: 0 * * * * cd /path/to/web-log-monitor && python3 web-log-monitor.py

Configuration

Edit config.py:

Setting Description
LLAMA_URL llama.cpp server endpoint
MODEL Model name to use
GOTIFY_URL Gotify server URL
GOTIFY_TOKEN Gotify app token
LOG_MODE "local" or "ssh"
LOG_PATH Path to access.log
BARGE_HOST SSH host (only for ssh mode)
STATE_DIR Directory for state file
BATCH_SIZE Lines per LLM call
MAX_LINES_PER_RUN Max lines per execution

Command Line Options

python3 web-log-monitor.py [OPTIONS]

  -v, --verbose  Show detailed log statistics
  --dry-run      Analyze without sending alerts or updating state

How It Works

  1. Reads new logs (local file or via SSH)
  2. Checks for obvious attack patterns (immediate alerts)
  3. Filters noise (health checks, static assets)
  4. Sends remaining logs to LLM for analysis
  5. Consolidates findings and alerts via Gotify

Files

├── Dockerfile
├── docker-compose.yml
├── config.py              # Your config (gitignored)
├── config.example.py      # Template for standalone
├── config.docker.py       # Template for Docker
├── requirements.txt
├── web-log-monitor.py
└── systemd/               # Optional systemd units
Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 64 KiB
Languages
Python 97.4%
Dockerfile 2.6%