aj/web-log-monitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3ee9fc1936b9f346d42b0ffa72f1e9e8855014c
web-log-monitor/README.md
T
aj e3ee9fc193 Replace config.py with .env for Docker-standard configuration 
Config was a Python file baked into the image or bind-mounted, requiring
a rebuild or manual file management for any settings change. Now uses
env_file in docker-compose with os.environ.get() calls, so config
changes only need a container restart. Also filters Gitea traffic from
LLM analysis to prevent false positive reconnaissance alerts on normal
repository browsing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 19:29:09 -05:00

99 lines
2.3 KiB
Markdown
Raw Blame History

# Web Log Security Monitor
Analyzes Traefik access logs using a local LLM (llama.cpp) and sends alerts via Gotify when suspicious activity is detected.
## Docker Setup (Recommended)
Run alongside Traefik on barge.lan:
1. Copy the project to barge:
```bash
scp -r . barge.lan:/mnt/docker/web-log-monitor/
```
2. Create config from Docker template:
```bash
ssh barge.lan
cd /mnt/docker/web-log-monitor
cp config.docker.py config.py
nano config.py # Add your GOTIFY_TOKEN
```
3. Start the container:
```bash
docker compose up -d
```
4. View logs:
```bash
docker logs -f web-log-monitor
```
## Standalone Setup
For running on athena.lan (via SSH to barge):
1. Copy the config file and add your Gotify token:
```bash
cp config.example.py config.py
nano config.py # Add your GOTIFY_TOKEN
```
2. Test manually:
```bash
python3 web-log-monitor.py --verbose --dry-run
```
3. Add to cron (hourly):
```bash
crontab -e
# Add: 0 * * * * cd /path/to/web-log-monitor && python3 web-log-monitor.py
```
## Configuration
Edit `config.py`:
| Setting | Description |
|---------|-------------|
| `LLAMA_URL` | llama.cpp server endpoint |
| `MODEL` | Model name to use |
| `GOTIFY_URL` | Gotify server URL |
| `GOTIFY_TOKEN` | Gotify app token |
| `LOG_MODE` | `"local"` or `"ssh"` |
| `LOG_PATH` | Path to access.log |
| `BARGE_HOST` | SSH host (only for ssh mode) |
| `STATE_DIR` | Directory for state file |
| `BATCH_SIZE` | Lines per LLM call |
| `MAX_LINES_PER_RUN` | Max lines per execution |
## Command Line Options
```
python3 web-log-monitor.py [OPTIONS]
-v, --verbose Show detailed log statistics
--dry-run Analyze without sending alerts or updating state
```
## How It Works
1. Reads new logs (local file or via SSH)
2. Checks for obvious attack patterns (immediate alerts)
3. Filters noise (health checks, static assets)
4. Sends remaining logs to LLM for analysis
5. Consolidates findings and alerts via Gotify
## Files
```
├── Dockerfile
├── docker-compose.yml
├── config.py # Your config (gitignored)
├── config.example.py # Template for standalone
├── config.docker.py # Template for Docker
├── requirements.txt
├── web-log-monitor.py
└── systemd/ # Optional systemd units
```
Reference in New Issue View Git Blame Copy Permalink