#!/bin/bash # Log Analysis and Anomaly Detection Script # Generated by Axiom - Autonomous System Administrator TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S') REPORT_FILE="/opt/axiom/logs/log-analysis-$(date '+%Y-%m-%d').log" DATA_DIR="/opt/axiom/data" echo "=== Log Analysis Report ===" >> "$REPORT_FILE" echo "Timestamp: $TIMESTAMP" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # Analyze system logs for errors in the last 24 hours echo "--- System Errors (Last 24h) ---" >> "$REPORT_FILE" ERROR_COUNT=$(journalctl --since "24 hours ago" -p err --no-pager | wc -l) echo "Total error entries: $ERROR_COUNT" >> "$REPORT_FILE" if [ "$ERROR_COUNT" -gt 0 ]; then echo "" >> "$REPORT_FILE" echo "Recent errors:" >> "$REPORT_FILE" journalctl --since "24 hours ago" -p err --no-pager | tail -20 >> "$REPORT_FILE" fi echo "" >> "$REPORT_FILE" # Analyze nginx logs if [ -f "/var/log/nginx/axiom.error.log" ]; then echo "--- Nginx Error Log Analysis ---" >> "$REPORT_FILE" NGINX_ERRORS=$(wc -l < /var/log/nginx/axiom.error.log) echo "Total nginx errors: $NGINX_ERRORS" >> "$REPORT_FILE" if [ "$NGINX_ERRORS" -gt 0 ]; then echo "Recent nginx errors:" >> "$REPORT_FILE" tail -10 /var/log/nginx/axiom.error.log >> "$REPORT_FILE" fi echo "" >> "$REPORT_FILE" fi if [ -f "/var/log/nginx/axiom.access.log" ]; then echo "--- Nginx Access Summary ---" >> "$REPORT_FILE" TOTAL_REQUESTS=$(wc -l < /var/log/nginx/axiom.access.log) echo "Total requests: $TOTAL_REQUESTS" >> "$REPORT_FILE" if [ "$TOTAL_REQUESTS" -gt 0 ]; then echo "" >> "$REPORT_FILE" echo "Top 10 IP addresses:" >> "$REPORT_FILE" awk '{print $1}' /var/log/nginx/axiom.access.log | sort | uniq -c | sort -rn | head -10 >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" echo "HTTP status codes:" >> "$REPORT_FILE" awk '{print $9}' /var/log/nginx/axiom.access.log | sort | uniq -c | sort -rn >> "$REPORT_FILE" fi echo "" >> "$REPORT_FILE" fi # SSH Login Analysis echo "--- SSH Login Analysis ---" >> "$REPORT_FILE" FAILED_SSH=$(journalctl --since "24 hours ago" _SYSTEMD_UNIT=sshd.service | grep -i "failed" | wc -l) SUCCESS_SSH=$(journalctl --since "24 hours ago" _SYSTEMD_UNIT=sshd.service | grep -i "accepted" | wc -l) echo "Failed SSH attempts: $FAILED_SSH" >> "$REPORT_FILE" echo "Successful SSH logins: $SUCCESS_SSH" >> "$REPORT_FILE" if [ "$FAILED_SSH" -gt 10 ]; then echo "" >> "$REPORT_FILE" echo "Top IPs with failed attempts:" >> "$REPORT_FILE" journalctl --since "24 hours ago" _SYSTEMD_UNIT=sshd.service | grep -i "failed" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort | uniq -c | sort -rn | head -10 >> "$REPORT_FILE" fi echo "" >> "$REPORT_FILE" # Firewall Activity echo "--- Firewall Activity ---" >> "$REPORT_FILE" FW_DROPS=$(journalctl --since "24 hours ago" -k | grep -i "drop\|reject" | wc -l) echo "Dropped/Rejected packets: $FW_DROPS" >> "$REPORT_FILE" if [ "$FW_DROPS" -gt 0 ]; then echo "Recent firewall events:" >> "$REPORT_FILE" journalctl --since "24 hours ago" -k | grep -i "drop\|reject" | tail -10 >> "$REPORT_FILE" fi echo "" >> "$REPORT_FILE" # Check for suspicious activity patterns echo "--- Security Anomalies ---" >> "$REPORT_FILE" ANOMALIES="" if [ "$FAILED_SSH" -gt 20 ]; then ANOMALIES="${ANOMALIES}[WARNING] High number of failed SSH attempts: ${FAILED_SSH}\n" fi if [ "$ERROR_COUNT" -gt 100 ]; then ANOMALIES="${ANOMALIES}[WARNING] High error rate in system logs: ${ERROR_COUNT}\n" fi if [ "$FW_DROPS" -gt 1000 ]; then ANOMALIES="${ANOMALIES}[WARNING] High firewall drop rate: ${FW_DROPS}\n" fi if [ -n "$ANOMALIES" ]; then echo -e "$ANOMALIES" >> "$REPORT_FILE" echo -e "$ANOMALIES" > "$DATA_DIR/security-anomalies.txt" else echo "No security anomalies detected" >> "$REPORT_FILE" echo "No anomalies" > "$DATA_DIR/security-anomalies.txt" fi echo "========================================" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # Save summary cat > "$DATA_DIR/latest-logs.json" <