π§° Log Combiner Tool A fast, multithreaded Python script that recursively scans folders for web server logs (access, error, ssl) β including .log and .xz compressed files β and combines them by type into a clean, organized output directory.
The .xz extension is commonly used for pre-compressed log files in NGINX environments. During DFIR investigations, these files are often all you have. This tool automatically detects and decompresses .xz files in-memory, letting you immediately parse and combine logs into searchable, readable text files.
You can then index the combined logs into your favorite analysis tool β I recommend Splunk.
πΈ Examples
Input β Raw Logs (including .xz):
Output β Clean Combined File:
Simple, single file to work with:
β¨ FEATURES
π Automatically detects access, error, and ssl logs by filename
π¦ Supports both plain .log and compressed .xz files
β‘ Blazing fast with multithreaded processing
ποΈ Preserves original subfolder structure in output
π§βπ» Simple interactive CLI β no arguments needed
𧱠No external dependencies β pure Python
π Important Behavior β Log Detection Logic
The script matches files based on the presence of keywords in the filename, not strict naming conventions. For example:
Files like access.log, access.log-20250623, broadway_access_20250623.xz will all be treated as access logs
Similarly, any file with error or ssl in its name will be matched accordingly
This flexible matching ensures compatibility with most rotated or archived log naming schemes.
π EXAMPLE STRUCTURE
Input Directory (/logs): /logs βββ site1 β βββ access.log β βββ error.log β βββ access.log-20250623.xz β βββ access.log-20250624.xz βββ site2 β βββ ssl.log β βββ error.log
Output Directory (/combined_logs):
/combined_logs βββ site1 β βββ combined-access.log β βββ combined-error.log βββ site2 β βββ combined-ssl.log β βββ combined-error.log π HOW TO USE
Run the script: python NGINX_Parser.py
When prompted:
Enter the input directory containing your logs Enter the output directory for the combined logs Done! The tool will process and combine your logs by type into the output directory.
π οΈ HOW IT WORKS
π File names are scanned for keywords:
"access" β Access logs "error" β Error logs "ssl" β SSL logs
𧩠.xz files are extracted in-memory using Pythonβs built-in lzma module
π All matched files are grouped by type and written into:
combined-access.log combined-error.log combined-ssl.log
π§ͺ REQUIREMENTS
Python 3.7 or newer
No additional dependencies (100% standard library)
π LICENSE
This project is licensed under the MIT License.
π¨βπ» Developed by Jacob Wilson β https://dfirvault.com
π¬ Feedback, forks, and pull requests are always welcome!