A real-time system & network log analysis desktop application built with PySide6. It combines live network packet monitoring, machineβlearningβbased log anomaly detection, and crossβplatform (Windows/Linux) system log collection in a single dashboard β with a rule engine and ML model to flag suspicious activity and raise alerts.
π Research paper publication: "Log Analysis: Understanding and Enhancing System Monitoring" β IJARCCE
- Features
- Architecture
- Tech Stack
- Project Structure
- Getting Started (Run Locally)
- Building a Standalone Executable
- Screenshots
- Certificate
- Known Limitations
- License
The app is organized into three main dashboard tabs, each backed by its own Python module:
- Live packet capture using Scapy (
sniff) with start/stop controls. - Rule-based detection engine for:
- Port scans
- SYN floods
- DNS tunneling (entropy-based)
- ARP spoofing
- Data exfiltration patterns
- C2 (command-and-control) communication patterns
- Known malicious IP matching
- Suspicious/broadcast traffic
- Time-based anomalies & brute-force login attempts
- Alerting system with severity levels and optional sound alerts.
- Live traffic summary, alert feed, and log counters exposed to the UI.
- All events persisted to a local SQLite database.
- Upload/save log files, browse folders, and search within collected logs.
- Rule/pattern-based anomaly scanning plus a trained ML classifier
(
scikit-learnRandomForestClassifier+CountVectorizerpipeline, persisted withjoblibinmodels/log_analysis_model.joblib). - "Deep analysis" mode with risk classification of log content.
- Export analysis results to CSV.
- One-click collection of system diagnostics, running in a background thread with live progress reporting to the UI.
- Windows: Event Logs, system info, network info, running processes, services.
- Linux: system info, network info, process info, and security-related logs.
- Collected logs are written under
collected_logs/upload_log/{windows|linux}/.
- Frameless, custom-styled window (drag, minimize/maximize/close handled manually).
- Left navigation menu + collapsible center info/help menu.
- Each tab embeds an HTML/JS frontend (via
QWebEngineView) that talks to its Python backend over aQWebChannelbridge β see Architecture.
The app is a Qt (PySide6) desktop shell. Each of the three tabs loads a local
HTML/CSS/JS page inside an embedded Chromium view (QWebEngineView), and that
page talks to a dedicated Python "backend" object over Qt WebChannel
(JS β Python bridge). This keeps the UI logic in HTML/JS while all the heavy
lifting (packet capture, ML inference, system calls) runs in Python.
flowchart TD
A["main.py<br/>MainWindow (PySide6, frameless QMainWindow)"] --> B[Home Tab]
A --> C[Log Tab]
A --> D[System Tab]
B -->|QWebEngineView| B1["assets/html/home.html + JS"]
C -->|QWebEngineView| C1["assets/html/log.html + JS"]
D -->|QWebEngineView| D1["assets/html/system_analysis.html + JS"]
B1 <-->|QWebChannel bridge| B2["BackendClass_hom<br/>assets/py/home.py"]
C1 <-->|QWebChannel bridge| C2["BackendClass_log<br/>assets/py/log.py"]
D1 <-->|QWebChannel bridge| D2["BackendClass_sys<br/>assets/py/system_analysis.py"]
B2 --> E1["Scapy packet sniffing"]
B2 --> E2[("SQLite<br/>log_analysis.db")]
B2 --> E3["Rule engine: port scan, SYN flood,<br/>DNS tunneling, ARP spoof, C2, etc."]
C2 --> F1["RandomForestClassifier + CountVectorizer<br/>(scikit-learn, joblib)"]
C2 --> F2["models/log_analysis_model.joblib"]
D2 --> G1["SystemLogCollector"]
G1 --> G2["Windows: Event Log, psutil, subprocess"]
G1 --> G3["Linux: /proc, journalctl-style, psutil"]
G1 --> G4["collected_logs/upload_log/"]
Key design points:
main.pybuilds theMainWindowfrom the Qt Designer fileDashboard_main.ui(compiled toui_Dashboard_main.py), then wires up navigation, window controls, and threeQWebEngineViews (Home / Log / System).- Each backend (
BackendClass_hom,BackendClass_log,BackendClass_sys) is aQObjectexposing@Slotmethods andSignals, registered on aQWebChannelso the embedded JS can call Python and receive live updates (e.g. new alerts, scan progress). resource_path()helpers in each module resolve file paths correctly both when running from source and when frozen into an executable via PyInstaller.
| Layer | Technology |
|---|---|
| Desktop UI shell | PySide6 (Qt for Python), Qt Designer .ui file |
| Embedded frontend | HTML, CSS, JavaScript (via QWebEngineView + QWebChannel) |
| Packet capture | Scapy |
| Machine learning | scikit-learn (RandomForestClassifier, CountVectorizer pipeline), joblib, pandas, numpy |
| System info | psutil, subprocess, Windows Event Log APIs |
| Storage | SQLite (log_analysis.db), local file system (collected_logs/) |
| Packaging | PyInstaller (Log Analysis.spec) |
Log-Analysis/
βββ main.py # App entry point, MainWindow, navigation & window logic
βββ debug_launcher.py # Diagnostic launcher (verbose import/startup logging)
βββ Dashboard_main.ui # Qt Designer UI definition
βββ ui_Dashboard_main.py # Compiled UI (generated from the .ui file)
βββ resource.qrc / resource_rc.py# Qt resource file & compiled resources
βββ style.json # UI style/theme config
βββ log_analysis.db # SQLite database used by the Home tab
βββ requirements.txt # Python dependencies
βββ Log Analysis.spec # PyInstaller build spec
βββ Qss.zip / icons.zip # Packaged stylesheets / icons
βββ assets/
β βββ py/
β β βββ home.py # BackendClass_hom β network monitoring & alerts
β β βββ log.py # BackendClass_log β log search & ML anomaly detection
β β βββ system_analysis.py # BackendClass_sys / SystemLogCollector β OS log collection
β βββ html/ # home.html, log.html, system_analysis.html (frontend pages)
β βββ css/ # Stylesheets for the embedded frontend
β βββ js/ # Frontend JavaScript
βββ models/
β βββ log_analysis_model.joblib # Trained RandomForest log-classification model
βββ collected_logs/
β βββ upload_log/ # Output folder for collected/uploaded logs
βββ images/ # README screenshots
- Python 3.9β3.11 (PySide6 6.9 and the ML stack are most stable in this range)
- Git
- Windows or Linux (some features β Windows Event Log collection,
winsoundalert tones β are Windows-only; on Linux those specific calls will need adjusting/guard-clauses) - Recommended: run packet-capture features with sufficient privileges
(Administrator on Windows,
sudo/CAP_NET_RAWon Linux), since Scapy needs raw socket access to sniff packets.
git clone https://github.com/rupeshrb/Log-Analysis.git
cd Log-Analysis# Windows
python -m venv venv
venv\Scripts\activate
# macOS/Linux
python3 -m venv venv
source venv/bin/activatepip install -r requirements.txt
β οΈ Note:requirements.txtcurrently contains a large, generic list of packages (it looks like it was generated from a full environmentpip freezerather than only this project's direct dependencies). At minimum, the app needs:PySide6,PySide6-Addons,PySide6-Essentials,scapy,scikit-learn,pandas,numpy,joblib,psutil, andQT-PyQt-PySide-Custom-Widgets(imported asCustom_Widgets). Ifpip install -r requirements.txtfails or is too slow, you can install just these core packages instead and add others only as needed.
python main.pyIf the app fails to start (missing modules, blank window, etc.), run the
diagnostic launcher instead β it prints detailed environment/import info and
writes a traceback to error_log.txt:
python debug_launcher.py- Home tab β start/stop live packet capture and watch real-time alerts, traffic summaries, and detected threats.
- Log tab β upload or browse log files, search them, and run anomaly/deep analysis (rule-based + ML). Export results to CSV.
- System tab β click to collect system logs/info for the current OS;
progress is shown live, and results are saved under
collected_logs/upload_log/.
The repo includes a PyInstaller spec file for producing a Windows .exe:
pip install pyinstaller
pyinstaller "Log Analysis.spec"The built executable will be created in the generated dist/ folder. A
pre-built Windows release is also available under the repository's
Releases page
(LogAnalysis_WINDOWS_SETUP_V_1.0).
- Some features (
winsoundalert tones, Windows Event Log collection) are Windows-specific and will need platform guards or alternatives to run fully on macOS/Linux. requirements.txtis broader than the project's actual dependencies β consider regenerating it withpip freezefrom a clean virtual environment built solely for this app, or trimming it to the core packages listed above.- The repo currently commits some generated/binary artifacts (
log_analysis.db,models/log_analysis_model.joblib,Qss.zip,icons.zip,__pycache__/). Consider a.gitignorefor__pycache__/and regenerated files going forward. - Packet capture requires elevated privileges; without them, the Home tab's live monitoring will fail silently or raise permission errors.
No license file is currently included in this repository. If you intend
this project to be reused or contributed to by others, consider adding a
LICENSE file (e.g., MIT, Apache-2.0) to clarify usage terms.
























