
BuffaLogs is an Open Source Django Project whose main purpose is to detect anomalous logins.
In detail, it sends several types of alerts: 1. Impossible Travel
It occurs when a user logs into the system from a significant distance within a range of time that cannot be covered by conventional means of transport.
Login from new device
This alert is sent if the user utilizes a new appliance.
Login from a new country
This alert is dispatched if the system is logged by a user from a country where they have never authenticated before.
Atypical country
This type of alert is triggered when the country from which the user logged in is not new, but unusual because not recent.
This alert is triggered every time that the risk_score of a user increases.
This alert occurs to signal a login made with an anonymous IP.
The idea is to compare the logins provided by the internal authentication service of the company with the logins collected by BuffaLogs and alert in case of significant inconsistencies.
For further details: Wiki - About
FOSDEM is a free event for software developers to meet, share ideas and collaborate. Every year, thousands of developers of free and open source software from all over the world gather at the event in Brussels.
| FOSDEM | An overview on detecting Login Anomalies with BuffaLogs |
|---|---|
| Our Talk: The infosec industry has seen a big growth in recent years, with a plethora of mostly closed-source solutions such as Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) marketed as indispensable tools for defending organizations. These solutions often emphasize protection against sophisticated adversaries, zero-day exploits, and malicious insiders. However, our real-world experience reveals that the majority of initial compromises occur through simpler approaches, such as stolen credentials and phishing attacks. In this talk, we introduce Buffalogs, an open-source solution designed to detect and alert on anomalous login behaviors. Adhering to the Unix philosophy of "do one thing and do it well," Buffalogs offers a way to analyze common application logs (ssh, Apache, Microsoft Entra ID, etc) and detect credential misuse. Attendees will gain insights into the challenges of login anomaly detection, the development of Buffalogs and the differences between our solution and other commercial alternatives. |
| Honeynet | IntelOwl |
|---|---|
|
|
Timeline: https://developers.google.com/open-source/gsoc/timeline Honeynet projects ideas: https://www.honeynet.org/gsoc/gsoc-2025/google-summer-of-code-2025-project-ideas/
Official Discord chat: https://discord.gg/68B8Ru5fSU
BuffaLogs employs the following tools which have to be installed on the machine: - Docker - Docker-compose - Python
Then, you can clone this repository on your local computer with:
git clone git@github.com:certego/BuffaLogs.git
Or download the application directly from the Docker Hub, with the sudo docker pull certego/buffalogs:<release_tag>.
After that, there are two ways of running BuffaLogs, depending on your system configurations:
* if you already have an elastic cluster:
* Configure the connection in config/buffalogs/ingestion.json (see Elasticsearch Configuration Guide for detailed instructions)
* Set the Elasticsearch URL, credentials, and index patterns
* launch docker compose up -d to run the containers
* if you have no hosts with Elasticsearch installed on it, you can run it directly with Buffalogs:
* run docker compose -f docker-compose.yaml -f docker-compose.elastic.yaml up -d in order to execute all the containers, included Elasticsearch and Kibana
* Now elasticsearch and kibana are running on the same host with Buffalogs.
By default, the bundled Elasticsearch is unsecured for easy development. To enable basic authentication and TLS/SSL opt-in, use the secure profile. For instructions on generating certificates, setting passwords/tokens, and starting secure mode, see docs/ingestion/elasticsearch.md.
For detailed instructions on connecting BuffaLogs to an existing Elasticsearch cluster, including: - Credentials configuration (username/password) - TLS/SSL verification settings - Index/data stream configuration - Custom field mapping
See the Elasticsearch Ingestion Guide.

For further examples: Wiki - Example
To uninstall and remove all files, delete all containers with:
sudo docker-compose down -v
Then you can safely delete this repository.
requirements.txt and also into the setup.cfg fileCHANGELOG.md containing all the features, changes and bugfix developedsetup.cfgdjango-buffalogs/dist and create the new version running python3 setup.py sdist from django-buffalogs/buffalogs-x.y.z.tar.gz package into your projectThis project is protected by the Apache Licence 2.0.
BuffaLogs is an Open Source project and was developed in order to allow enrichments from people with any level of experience, but please read carefully the Contribution guidelines before making any changes to the project.
$ claude mcp add BuffaLogs \
-- python -m otcore.mcp_server <graph>