diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 9a20c4d..e76d517 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -596,8 +596,9 @@ monitor_apache_logs() {
             # Determine if this is a threat
             local level=$(get_threat_level "$score")
 
-            # Only log medium+ threats or attacks
-            if [ "$score" -ge "$THREAT_THRESHOLD_MEDIUM" ] || [ -n "$attacks" ]; then
+            # Log all traffic with attacks, or score > 0, or suspicious bots
+            # This ensures we see everything interesting, not just high scores
+            if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then
                 local color=$(get_threat_color "$level")
                 local time_str=$(date +"%H:%M:%S")
 
@@ -605,6 +606,11 @@ monitor_apache_logs() {
                 local log_line="${color}[${time_str}] $ip"
                 log_line+=" | Score:$score [$level]"
 
+                # Show bot type if interesting
+                if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then
+                    log_line+=" | Bot:$bot_type"
+                fi
+
                 if [ -n "$attacks" ]; then
                     local first_attack=$(echo "$attacks" | cut -d',' -f1)
                     local icon=$(get_attack_icon "$first_attack")