𓂀
𓋹

LOG ANALYSIS & FORENSICS

Lesson 3 of 5
~7 hrs
WARMUP: Find the Anomaly

Below is a sample server log. One entry is suspicious — can you spot it?

192.168.1.10 - - [12/Jun/2026:10:15:30] "GET /index.html" 200 192.168.1.10 - - [12/Jun/2026:10:16:02] "GET /about.html" 200 192.168.1.10 - - [12/Jun/2026:10:16:45] "GET /admin" 403 10.0.0.5 - - [12/Jun/2026:10:17:01] "GET /admin" 200 192.168.1.10 - - [12/Jun/2026:10:18:12] "GET /contact.html" 200

What's wrong? Why did the request from 10.0.0.5 get a 200 when the previous admin request got a 403?

CORE CONCEPTS

Logs are records of events that happen on a system. Every time you visit a website, download a file, or log in, an entry is probably written somewhere.

# Common log types: # Apache/NGINX: web server requests # auth.log: login attempts # syslog: system events # firewall: blocked/allowed traffic

Apache logs follow a standard format. Each line contains: IP, timestamp, request method, path, status code, and size.

# Format: IP - - [Date] "Method Path Protocol" Status Size 192.168.1.15 - - [12/Jun/2026:14:23:10] "POST /login.php" 302 - 192.168.1.15 - - [12/Jun/2026:14:23:11] "GET /dashboard.php" 200 4521 10.0.0.99 - - [12/Jun/2026:14:23:15] "POST /login.php" 401 - 10.0.0.99 - - [12/Jun/2026:14:23:16] "POST /login.php" 401 - 10.0.0.99 - - [12/Jun/2026:14:23:17] "POST /login.php" 200 -

Notice the pattern: repeated 401s from 10.0.0.99, then suddenly a 200. Classic brute-force sign!

Security analysts look for patterns like repeated failed logins, strange IPs, or unexpected status codes.

# Python log analysis snippet def find_suspicious(log_lines): failed = {} for line in log_lines: if "401" in line: ip = line.split()[0] failed[ip] = failed.get(ip, 0) + 1 return {ip: c for ip, c in failed.items() if c > 5}
MINI CHALLENGE: Find the Hacker in the Log

Examine the log below and identify the attacker's IP address. Look for patterns!

10.0.0.1 - - [12/Jun/2026:09:00:01] "GET /" 200 10.0.0.2 - - [12/Jun/2026:09:00:05] "GET /index.html" 200 10.0.0.99 - - [12/Jun/2026:09:00:10] "GET /wp-admin" 404 10.0.0.99 - - [12/Jun/2026:09:00:11] "GET /wp-login" 404 10.0.0.99 - - [12/Jun/2026:09:00:12] "GET /admin" 403 10.0.0.99 - - [12/Jun/2026:09:00:13] "GET /backup.sql" 200 10.0.0.1 - - [12/Jun/2026:09:01:00] "GET /contact.html" 200
Question: What vulnerability did the attacker exploit? How could the admin have protected the backup.sql file?
MAIN PROJECT: Log Attack Pattern Detector

Write in Python (pseudocode or real) a script that reads a log file and identifies attack patterns: brute force logins, directory scanning, and suspicious IPs.

1

Read log file line by line

2

Count failed logins per IP (status 401)

3

Flag IPs hitting many different paths

4

Generate a summary report of threats

QUIZ: Log Analysis

Check your forensic investigation skills.

1. What HTTP status code means "Not Found"?

200
404
403

2. A single IP making many 401 requests suggests what?

Normal user browsing
Brute force login attempt
Server maintenance

3. What should you NEVER expose in a public web directory?

index.html
style.css
backup.sql