A comprehensive security log analysis platform that combines machine learning, automated parsing, and AI-powered narrative generation for cybersecurity investigations.
- Automated Log Parsing: CSV, JSON, and Syslog format support with intelligent column mapping
- ML Confidence Scoring: Machine learning models score event risk levels (0.0-1.0)
- Attack Story Synthesis: AI-generated narratives mapped to MITRE ATT&CK framework
- Real-time Processing: Celery-based asynchronous task processing
- Interactive Dashboard: React-based UI with timeline visualizations and event exploration
- Multi-format Reports: Export findings as PDF or CSV
- System Requirements
- Quick Start
- Detailed Setup
- Running the Application
- Testing
- API Documentation
- Architecture
- Troubleshooting
- OS: Linux (Ubuntu 20.04+), macOS, or Windows with WSL2
- Python: 3.9 or higher
- Node.js: 16.x or higher
- npm: 8.x or higher
- PostgreSQL: 13 or higher (optional, SQLite works for development)
- Redis: 6.x or higher (for Celery task queue)
- RAM: 4GB minimum, 8GB recommended
- Storage: 10GB free space
- CPU: 2+ cores
# 1. Clone the repository
cd AI_logs_Checking
# 2. Run setup script
chmod +x setup.sh
./setup.sh
# 3. Start services (3 terminals needed)
# Terminal 1: Redis
redis-server
# Terminal 2: Backend + Celery
cd backend
source ../venv/bin/activate
python manage.py runserver &
celery -A config worker --loglevel=info
# Terminal 3: Frontend
cd frontend
npm startAccess the application:
- Frontend: http://localhost:3000
- Backend API: http://localhost:8000
- Admin Panel: http://localhost:8000/admin
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activatecd backend
pip install --upgrade pip
pip install -r requirements.txt# Option A: SQLite (Development - Default)
# No configuration needed, db.sqlite3 will be created automatically
# Option B: PostgreSQL (Production - Recommended)
# 1. Install PostgreSQL
sudo apt-get install postgresql postgresql-contrib # Ubuntu/Debian
# 2. Create database
sudo -u postgres psql
CREATE DATABASE forensic_logs;
CREATE USER forensic_user WITH PASSWORD 'your_secure_password';
GRANT ALL PRIVILEGES ON DATABASE forensic_logs TO forensic_user;
\q
# 3. Update backend/config/settings.py
# Replace DATABASES section with:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'forensic_logs',
'USER': 'forensic_user',
'PASSWORD': 'your_secure_password',
'HOST': 'localhost',
'PORT': '5432',
}
}python manage.py makemigrations
python manage.py migratepython manage.py createsuperuser
# Follow prompts to set username, email, and password# Ubuntu/Debian
sudo apt-get install redis-server
sudo systemctl start redis
sudo systemctl enable redis
# macOS
brew install redis
brew services start redis
# Windows (WSL2)
sudo apt-get install redis-server
sudo service redis-server startcd frontend
# Install dependencies
npm install
# Verify installation
npm list react react-domCreate frontend/.env file:
REACT_APP_API_URL=http://localhost:8000
REACT_APP_VERSION=1.0.0Terminal 1: Redis
redis-serverTerminal 2: Django + Celery
cd backend
source ../venv/bin/activate
# Start Django development server
python manage.py runserver 0.0.0.0:8000 &
# Start Celery worker
celery -A config worker --loglevel=info --concurrency=4Terminal 3: React Frontend
cd frontend
BROWSER=none npm startcd backend
source ../venv/bin/activate
# Install Gunicorn
pip install gunicorn
# Run with Gunicorn
gunicorn config.wsgi:application \
--bind 0.0.0.0:8000 \
--workers 4 \
--timeout 120 \
--access-logfile - \
--error-logfile -cd frontend
# Create optimized production build
npm run build
# Serve using Nginx or Apache# Test with provided CSV file
cd backend
source ../venv/bin/activate
# Get JWT token and upload botsv3_events.csv
TOKEN=$(curl -s -X POST http://localhost:8000/api/auth/login/ \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin"}' | jq -r '.access')
# Upload file
curl -X POST http://localhost:8000/api/evidence/ \
-H "Authorization: Bearer $TOKEN" \
-F "file=@../botsv3_events.csv" \
-F "case=1"- File Size: 33.6 KB (231 events)
- Parse Time: ~5 seconds
- Events Detected: 462 (including duplicates)
- Attack Pattern: Brute force attack from IP 45.142.212.61 (20 failed login attempts)
- Critical Events: 10+
- High Risk Events: 50+
See FINAL_BOTSV3_TEST_REPORT.md for detailed test results.
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β React Frontend ββββββββββΆβ Django Backend ββββββββββΆβ PostgreSQL β
β (Port 3000) β REST β (Port 8000) β ORM β Database β
βββββββββββββββββββ API βββββββββββββββββββ βββββββββββββββββββ
β
β Tasks
βΌ
βββββββββββββββββββ
β Celery Workers β
β (Async Jobs) β
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ
β Redis Queue β
βββββββββββββββββββ
1. UPLOAD β User uploads CSV/JSON/Syslog files via API
2. PARSE β Auto-detect format and extract events
3. SCORE β ML model scores each event (0.0-1.0)
4. CORRELATE β Group related events by time/user/IP
5. SYNTHESIZE β LLM generates narrative stories
6. REPORT β Generate PDF/CSV reports
AI_logs_Checking/
βββ backend/ # Django backend
β βββ config/ # Django settings & URLs
β βββ core/ # Main application
β β βββ models.py # Database models
β β βββ views.py # API views
β β βββ tasks.py # Celery tasks
β β βββ services/ # Business logic
β β βββ parsers/ # Log parsers
β β βββ ml_scoring.py # ML scoring
β β βββ story_synthesis.py
β βββ media/ # Uploaded files
β βββ requirements.txt # Python deps
βββ frontend/ # React frontend
β βββ src/
β β βββ pages/ # Page components
β β βββ components/ # Reusable components
β β βββ api/ # API client
β βββ package.json # Node deps
βββ botsv3_events.csv # Sample data (231 events)
βββ setup.sh # Quick setup script
βββ README.md # This file
# Register
POST /api/auth/register/
{
"username": "analyst1",
"email": "analyst@company.com",
"password": "SecurePass123!",
"password2": "SecurePass123!"
}
# Login
POST /api/auth/login/
{
"username": "analyst1",
"password": "SecurePass123!"
}
# Returns: {"access": "JWT_TOKEN", "refresh": "REFRESH_TOKEN"}# Create Case
POST /api/cases/
Headers: Authorization: Bearer JWT_TOKEN
{
"name": "Incident 2026-001",
"description": "Suspected brute force attack",
"status": "OPEN"
}
# List Cases
GET /api/cases/
Headers: Authorization: Bearer JWT_TOKEN# Upload File
POST /api/evidence/
Headers: Authorization: Bearer JWT_TOKEN
Form Data:
- file: [CSV/JSON/Syslog file]
- case: [case_id]# Get All Events
GET /api/parsed-events/
Headers: Authorization: Bearer JWT_TOKEN
# Search Events
GET /api/parsed-events/?search=failed+login
# Filter by Evidence File
GET /api/parsed-events/?evidence_file=5Full API Reference: See API_REFERENCE.md
"ModuleNotFoundError: No module named 'core'"
cd backend
source ../venv/bin/activate
python manage.py runserver"django.db.utils.OperationalError: no such table"
python manage.py migrate"Celery worker not processing tasks"
# Check Redis
redis-cli ping # Should return "PONG"
# Restart Celery
celery -A config worker --loglevel=debug"Port 8000 already in use"
lsof -i :8000
kill -9 <PID>"npm ERR! code ELIFECYCLE"
rm -rf node_modules package-lock.json
npm cache clean --force
npm install"Port 3000 already in use"
lsof -ti :3000 | xargs kill -9"No events parsed from file"
- Check file format (CSV headers required)
- Verify timestamp column exists
- Review Celery logs for errors
- Change
SECRET_KEYin settings.py - Set
DEBUG = False - Configure
ALLOWED_HOSTS - Use PostgreSQL (not SQLite)
- Enable HTTPS/SSL
- Set up CORS properly
- Use environment variables for secrets
- API Reference - Complete API docs
- Feature Matrix - Feature details
- Integration Test Report - Test results
- Final Test Report - botsv3 attack analysis
For issues or questions:
- Open an issue on GitHub
- Check documentation in the docs/ directory
Last Updated: January 14, 2026
Version: 1.0.0
Status: Production Ready β
Last Updated: January 14, 2026
Version: 1.0.0
Status: Production Ready β
POST /api/report/generate/
GET /api/report/{id}/download/
GET /api/dashboard/summary/
GET /api/dashboard/timeline/
GET /api/dashboard/confidence-distribution/
DJANGO_SECRET_KEY=your-secret-key
DEBUG=True
ALLOWED_HOSTS=localhost,127.0.0.1
OPENAI_API_KEY=your-openai-key
ANTHROPIC_API_KEY=your-anthropic-key
DEFAULT_LLM_PROVIDER=openai
DEFAULT_LLM_MODEL=gpt-4
ML_CONFIDENCE_THRESHOLD=0.7
CELERY_BROKER_URL=redis://localhost:6379/0
REACT_APP_API_URL=http://localhost:8000/api
cd backend
python manage.py testcd frontend
npm testbackend/
βββ config/ # Django settings
βββ core/
β βββ models/ # Database models
β βββ services/ # Business logic
β β βββ parsers/ # Log parsers
β β βββ hashing.py
β β βββ ml_scoring.py
β β βββ llm_row_inference.py
β β βββ story_synthesis.py
β β βββ report_generator.py
β βββ tasks.py # Celery tasks
β βββ views.py # API endpoints
β βββ serializers.py
frontend/
βββ src/
β βββ api/ # API client
β βββ components/ # Reusable components
β βββ pages/ # Page components
β βββ types/ # TypeScript types
- Incident Response - Rapid triage of security events
- Forensic Investigation - Court-ready evidence analysis
- Threat Hunting - Pattern discovery in logs
- Compliance Auditing - Automated evidence collection
- Security Research - Attack technique analysis
# Build and run with Docker Compose
docker-compose up -d- Set up PostgreSQL database
- Configure production settings in
.env - Run migrations:
python manage.py migrate - Collect static files:
python manage.py collectstatic - Deploy with Gunicorn + Nginx
- Set up Celery workers as systemd services
- Build React frontend:
npm run build - Serve frontend with Nginx
MIT License - see LICENSE file for details
- Fork the repository
- Create a feature branch
- Make your changes
- Write tests
- Submit a pull request
For issues and questions:
- GitHub Issues: Create an issue
- Email: support@forensic-analysis.com
- Phase 1: Core MVP (Current)
- Phase 2: Advanced ML models
- Phase 3: Multi-tenant support
- Phase 4: Real-time log streaming
- Phase 5: Integration with SIEM platforms
Built for the AI Logs Checking Honours Project