Log Guard AI

At FraudGuard.io, we have spent nearly a decade studying and analyzing cyber threats through one of the most extensive honeypot networks in the industry. This wealth of intelligence has been used to train a proprietary AI model, specifically designed to detect malicious behavior in access log data. LogGuard AI is the culmination of years of threat intelligence, leveraging machine learning to proactively identify bad actors, attack patterns, and security anomalies before they escalate into major security incidents.

Automated Log Ingestion

LogGuard AI seamlessly ingests log data from various sources, including access logs from Nginx, Apache, AWS load balancers ALB/ELB/NLB, and more. Our system is designed to handle high-volume log streams efficiently, normalizing data for comprehensive analysis and long-term security insights.

Pre-Filtering & Risk Detection

Using advanced filtering mechanisms, LogGuard AI automatically scans incoming logs for high-risk behaviors such as brute-force login attempts, bot-driven traffic, and access to sensitive endpoints. Suspicious activity is flagged for further AI-powered analysis.

Suspicious Geo-Activity Detection

LogGuard AI continuously evaluates geographic access patterns, detecting anomalies that may indicate unauthorized activity or emerging threats. By analyzing deviations from normal behavior—such as sudden access attempts from unexpected locations—it helps businesses identify potential security risks, mitigate fraud, and strengthen access controls before an incident escalates.

IP Address Intelligence

LogGuard AI enhances security visibility by automatically analyzing the source IP addresses found in customer access logs. Every IP is cross-referenced against the FraudGuard.io global threat database, identifying whether it has been associated with malicious activity, botnet operations, or suspicious behaviors. This allows businesses to detect high-risk traffic sources in real time and take immediate action to protect their infrastructure.

AI-Powered Anomaly Detection

Our proprietary AI model, built on years of honeypot attack data, continuously adapts to emerging threats by identifying deviations from normal behavior. This advanced anomaly detection engine helps security teams uncover stealthy cyber threats before they can cause damage.

Comprehensive API Integration

LogGuard AI provides a powerful suite of APIs, enabling businesses to seamlessly integrate automated log analysis into their security infrastructure. These APIs allow customers to retrieve AI-enhanced threat intelligence and incorporate actionable insights directly into SIEM platforms, firewalls, ticketing systems, and other cybersecurity tools.

Seamless S3 Integration

LogGuard AI is designed with a fully transient architecture, ensuring that no log data is ever written to a persistent storage layer. Instead, all logs are read, analyzed in real-time, and immediately written directly to and from the customer's AWS S3 bucket. This approach enhances security, minimizes data retention risks, and ensures full control over sensitive log data.

Self-Improving AI Model

At the core of LogGuard AI is a sophisticated, self-improving machine learning model designed to refine its analysis over time. By leveraging continuous feedback and customer interactions, the AI learns to distinguish between true threats and benign activity with increasing precision. This adaptive approach ensures that LogGuard AI evolves alongside emerging attack patterns, providing ever-improving accuracy and minimizing false positives.

How Log Guard AI Works

LogGuard AI offers two integration models to fit your infrastructure and security needs: an API-driven approach with database storage or a fully transient AWS S3-based model.

1. Choose Your Integration Model

Decide between two deployment options:
- Database & API Model: Log data is processed, enriched, and stored for structured querying and forensic analysis.
- S3-Only Model: All logs are read from and written back to AWS S3 without ever being stored on persistent infrastructure.

2. Configure Log Source

If using the Database & API Model, grant LogGuard AI read access to your designated AWS S3 bucket containing access logs. If using the S3-Only Model, provide read and write access to two S3 buckets: one for ingestion and another for enriched threat data output.

3. Log Processing & Threat Identification

Once logs are ingested, LogGuard AI automatically applies log normalization, filters irrelevant noise, and identifies high-risk events using pre-configured rulesets. Anomalous patterns, unauthorized access attempts, suspicious requests, and more are flagged for deeper AI-driven analysis.

4. AI-Powered Risk Scoring

Each log entry is analyzed against historical attack patterns, threat intelligence databases, and behavioral models to assign a dynamic risk score. This risk assessment helps businesses prioritize responses and implement proactive security measures.

5. Real-Time API Integration

LogGuard AI delivers insights through multiple channels, including API responses and enriched log exports to S3. Security teams can use these insights for automated threat blocking, forensic investigations, or compliance reporting.

6. Continuous Learning & Improvement

As security teams provide feedback, LogGuard AI continuously refines its detection models. This self-learning capability enhances accuracy over time, reducing false positives and ensuring high-confidence threat detection.

See Log Guard AI in Action

Experience the power of FraudGuard-enriched access logs and real-time API-driven threat intelligence.

With LogGuard AI, every log entry is analyzed, enriched, and categorized, giving you deep insights into potential security risks.

Below, you'll find real-life API responses and S3 log outputs, showcasing how LogGuard AI delivers detailed attack insights, risk scoring, and automated security intelligence.

Example API Response

[{
    "id": "1",
    "file_name": "access.log",
    "log_entry": "78.153.140.149 - - [12/Feb/2025:00:19:27 +0000] \"GET /.git/config HTTP/1.1\" 301 162 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.140 Safari/537.36\"",
    "attack_type": "web_recon",
    "matched_pattern": "Recon Path Match",
    "ip": "78.153.140.149",
    "threat": "honeypot_tracker",
    "country": "Russia",
    "asn_organization": "LLC Melt-internet",
    "isp": "LLC Melt-internet",
    "organization": "LLC Melt-internet",
    "blacklisted": "0",
    "geoblocked": "1",
    "send_to_ai": "1",
    "ai_confirmed": "1",
    "ai_feedback": null,
    "feedback_at": null,
    "created_at": "2025-03-18 16:12:28"
},
{
    "id": "9054",
    "file_name": "access.log.2",
    "log_entry": "150.136.69.140 - - [10/Feb/2025:17:04:59 +0000] \"GET /wp-content/updates.php HTTP/1.1\" 301 162 \"-\" \"-\"",
    "attack_type": "sql_injection",
    "matched_pattern": "updates.php HTTP/1.1\"",
    "ip": "150.136.69.140",
    "threat": "honeypot_tracker",
    "country": "United States",
    "asn_organization": "ORACLE-BMC-31898",
    "isp": "Oracle Cloud",
    "organization": "Oracle Cloud",
    "blacklisted": "0",
    "geoblocked": "0",
    "send_to_ai": "1",
    "ai_confirmed": "1",
    "ai_feedback": null,
    "feedback_at": null,
    "created_at": "2025-03-18 16:13:05"
}]

Example S3 Enriched Log Output

# IP Address | Timestamp | File Name | Attack Type | Matched Pattern | Country | Threat Category | Blacklisted | Geoblocked | Sent to AI | AI Confirmed | ASN Organization | ISP | Organization | Connection Type | Raw Log Entry
78.153.140.224 [18/Mar/2025:16:13:20 +0000] "access.log.3" path_traversal "../" "Russia" "honeypot_tracker" 0 1 1 1 "LLC Melt-internet" "LLC Melt-internet" "LLC Melt-internet" "Cable/DSL" "78.153.140.224 - - [09/Feb/2025:07:55:10 +0000] "GET /../.env HTTP/1.1" 400 150 "-" "-""
103.121.39.54 [18/Mar/2025:16:12:28 +0000] "access.log" unknown "N/A" "Bangladesh" "honeypot_tracker" 0 0 1 1 "Digital Dot Net DDN" "Digital Dot Net DDN" "Digital Dot Net DDN" "Cable/DSL" "103.121.39.54 - - [12/Feb/2025:09:01:24 +0000] "GET /.aws/credentials HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36""
78.153.140.149 [18/Mar/2025:16:12:28 +0000] "access.log" web_recon "Recon Path Match" "Russia" "unknown" 0 1 1 1 "LLC Melt-internet" "LLC Melt-internet" "LLC Melt-internet" "Cable/DSL" "78.153.140.149 - - [12/Feb/2025:00:19:27 +0000] "GET /.env HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.140 Safari/537.36""
150.136.69.140 [18/Mar/2025:16:13:05 +0000] "access.log.2" sql_injection "updates.php HTTP/1.1"" "United States" "honeypot_tracker" 0 0 1 1 "ORACLE-BMC-31898" "Oracle Cloud" "Oracle Cloud" "Corporate" "150.136.69.140 - - [10/Feb/2025:17:04:59 +0000] "GET /wp-content/updates.php HTTP/1.1" 301 162 "-" "-""
89.44.9.80 [18/Mar/2025:16:15:17 +0000] "access.log" unknown "N/A" "France" "anonymous_tracker" 0 0 1 1 "M247 Ltd" "M247 Ltd" "M247 Ltd" "Corporate" "89.44.9.80 - - [12/Feb/2025:09:53:46 +0000] "GET /main.yml HTTP/1.1" 404 1387 "-" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36""
195.178.110.163 [18/Mar/2025:16:12:28 +0000] "access.log" web_recon "Recon Path Match" "United States" "honeypot_tracker" 0 0 1 1 "SPRINTLINK" "Sprint" "Sprint" "Corporate" "195.178.110.163 - - [12/Feb/2025:05:29:00 +0000] "GET /prod/.env HTTP/1.1" 301 162 "-" "l9explore/1.2.2""
195.178.110.163 [18/Mar/2025:16:12:28 +0000] "access.log" web_recon "Recon Path Match" "United States" "honeypot_tracker" 0 0 1 1 "SPRINTLINK" "Sprint" "Sprint" "Corporate" "195.178.110.163 - - [12/Feb/2025:05:29:01 +0000] "GET /settings/.env HTTP/1.1" 301 162 "-" "l9explore/1.2.2""
106.75.186.101 [18/Mar/2025:16:12:28 +0000] "access.log" unknown "N/A" "China" "honeypot_tracker" 0 1 1 1 "CHINANET Guangdong province network" "China Telecom Guangdong" "China Telecom Guangdong" "Corporate" "106.75.186.101 - - [12/Feb/2025:02:20:59 +0000] "{\x22method\x22:\x22login\x22,\x22params\x22:{\x22login\x22:\x2245JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV\x22,\x22pass\x22:\x22xxoo\x22,\x22agent\x22:\x22xmr-stak-cpu/1.3.0-1.5.0\x22},\x22id\x22:1}" 400 150 "-" "-""
66.240.236.119 [18/Mar/2025:16:12:28 +0000] "access.log" unknown "N/A" "United States" "honeypot_tracker" 0 0 1 1 "CARINET" "CariNet" "CariNet" "Corporate" "66.240.236.119 - - [12/Feb/2025:00:36:01 +0000] "GET /.well-known/security.txt HTTP/1.1" 301 162 "-" "-""
80.82.77.202 [18/Mar/2025:16:12:28 +0000] "access.log" unknown "N/A" "Netherlands" "botnet_tracker" 0 0 1 1 "IP Volume inc" "IP Volume inc" "IP Volume inc" "Corporate" "80.82.77.202 - - [12/Feb/2025:01:00:01 +0000] "\x16\x03\x02\x01o\x01\x00\x01k\x03\x02RH\xC5\x1A#\xF7:N\xDF\xE2\xB4\x82/\xFF\x09T\x9F\xA7\xC4y\xB0h\xC6\x13\x8C\xA4\x1C=\x22\xE1\x1A\x98 \x84\xB4,\x85\xAFn\xE3Y\xBBbhl\xFF(=':\xA9\x82\xD9o\xC8\xA2\xD7\x93\x98\xB4\xEF\x80\xE5\xB9\x90\x00(\xC0" 400 150 "-" "-""
45.148.10.90 [18/Mar/2025:16:12:28 +0000] "access.log" web_recon "Recon Path Match" "Netherlands" "honeypot_tracker" 0 0 1 1 "Pptechnology Limited" "DMZHOST" "DMZHOST" "Cable/DSL" "45.148.10.90 - - [12/Feb/2025:01:11:29 +0000] "GET /.git/config HTTP/1.1" 301 162 "-" "l9explore/1.2.2""
80.94.95.157 [18/Mar/2025:16:12:28 +0000] "access.log" web_recon "Recon Path Match" "Romania" "honeypot_tracker" 0 0 1 1 "Bunea TELECOM SRL" "Bunea TELECOM SRL" "Bunea TELECOM SRL" "Cable/DSL" "80.94.95.157 - - [12/Feb/2025:01:56:21 +0000] "GET /wp-login.php HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36""

Put Log Guard AI Findings to Work

Once LogGuard AI has enriched your log data and flagged high-risk events, the next step is action. Here’s how companies use these insights to improve their defenses:

1. Blacklist or Geoblock Threat Actors

Push IPs flagged by LogGuard AI directly to your FraudGuard Blacklist or Geoblock API to immediately block repeat offenders or traffic from high-risk regions.

2. Fine-Tune Rate Limiting Rules

Use insights to adjust your FraudGuard Rate Limiting API settings, tailoring thresholds to block abusive traffic while maintaining a smooth experience for legitimate users.

3. Update WAF and Firewall Rules

Feed intelligence into your Web Application Firewall or local firewall—tightening access policies, adding IP deny lists, or restricting suspicious traffic patterns.

4. Trigger Incident Response Workflows

Integrate findings into your ticketing or incident response system to automatically assign tasks or escalate critical events to your security team in real time.

Get Started with Log Guard AI

Getting started with LogGuard AI is simple. Our team will guide you through a seamless onboarding process to ensure quick and efficient integration. LogGuard AI is available exclusively with the FraudGuard Enterprise Plan at $999/month, which includes up to 100GB of access log processing. Need more? Additional usage is just $1 per GB — scale confidently without surprise costs.

Want to see it in action? We offer a 7-day trial — just email us at hello@fraudguard.io to get started.