A lightweight Security Information and Event Management (SIEM) system with AI-powered threat detection capabilities.
- Real-time Log Processing: Continuous monitoring and analysis of system logs
- AI-Powered Threat Detection: Machine learning models for anomaly detection and threat classification
- Interactive Dashboard: React-based web interface for monitoring and analysis
- REST API: Comprehensive API for integration with other security tools
- Alert Management: Real-time alerts with severity classification
- Docker Support: Easy deployment with Docker and Docker Compose
- Extensible Architecture: Modular design for easy customization and extension
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Log Sources βββββΆβ Log Collector βββββΆβ AI Analysis β
β β β β β β
β β’ Web Servers β β β’ File Tailing β β β’ Anomaly Det. β
β β’ Applications β β β’ Log Parsing β β β’ Threat Class. β
β β’ System Logs β β β’ Data Cleaning β β β’ Risk Scoring β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Web Dashboard ββββββ Flask API ββββββ Database β
β β β β β β
β β’ Real-time UI β β β’ RESTful API β β β’ SQLite β
β β’ Charts/Graphs β β β’ Alert Mgmt β β β’ Logs & Alerts β
β β’ Alert Display β β β’ Health Check β β β’ Configuration β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
- Python 3.9+
- Node.js 18+
- npm or yarn
- Docker (optional)
# Clone the repository
git clone https://github.com/bbetre/siem-lite-project.git
cd siem-lite-project
# Run the automated setup script
chmod +x scripts/setup.sh
./scripts/setup.sh# Start full-stack development environment
python3 scripts/run_dev.py full
# Or start components individually:
python3 scripts/run_dev.py backend # Flask API server
python3 scripts/run_dev.py frontend # React development server- Dashboard: http://localhost:3000
- API: http://localhost:5000
- Health Check: http://localhost:5000/health
# Start with development profile
docker-compose up siem-app redis
# Or with React dev server
docker-compose --profile dev up# Build and start production services
docker-compose up -d siem-app redis# Include Prometheus and Grafana
docker-compose --profile monitoring up -d# Get dashboard data
curl http://localhost:5000/api/dashboard
# Get alerts with pagination
curl "http://localhost:5000/api/alerts?page=1&per_page=10&severity=high"
# Analyze custom log entry
curl -X POST http://localhost:5000/api/analyze \
-H "Content-Type: application/json" \
-d '{
"ip": "192.168.1.100",
"method": "GET",
"path": "/admin",
"status_code": 401,
"user_agent": "Mozilla/5.0",
"timestamp": "2025-01-15 14:30:00"
}'# Train models with synthetic data
python3 ai-integration/trainer.py
# Or use the development script
python3 scripts/run_dev.py train# Run all tests
python3 scripts/run_dev.py test
# Run Python tests only
source .venv/bin/activate
python -m pytest tests/ -v
# Run React tests only
cd dashboard
npm testsiem-lite-project/
βββ agents/
β βββ config.yaml # Log collection configuration
β βββ log_collector.py # Main log collection engine
β βββ test_logs/ # Sample log files
βββ ai-integration/
β βββ integrator.py # AI/ML integration module
β βββ trainer.py # Model training script
βββ dashboard/
β βββ public/ # React public files
β βββ src/ # React source code
β β βββ App.js # Main dashboard component
β βββ package.json # React dependencies
βββ server/
β βββ analyzer.py # Flask API server
βββ tests/
β βββ test_agents.py # Agent tests
β βββ test_ai_integration.py # AI module tests
β βββ test_dashboard.js # React component tests
β βββ test_server.py # API tests
βββ scripts/
β βββ run_dev.py # Development runner
β βββ setup.sh # Setup script
βββ docker-compose.yml # Docker services
βββ Dockerfile # Container definition
βββ requirements.txt # Python dependencies
βββ README.md # This file
Create a .env file:
# Flask Configuration
FLASK_ENV=development
FLASK_DEBUG=1
DATABASE_URL=sqlite:///siem_data.db
LOG_LEVEL=INFO
SECRET_KEY=your-secret-key-here
# React Configuration
REACT_APP_API_URL=http://localhost:5000Edit agents/config.yaml:
logs:
- path: /var/log/nginx/access.log
format: combined
- path: /var/log/auth.log
format: syslog
- path: agents/test_logs/access.log
format: combined- Algorithm: Isolation Forest
- Features: IP patterns, request timing, status codes, path lengths
- Training: Unsupervised learning on normal traffic patterns
- Algorithm: Random Forest Classifier
- Classes: Normal, Suspicious, Malicious
- Features: 7-dimensional feature vector per log entry
- SQL injection detection
- Brute force attack identification
- Admin panel access monitoring
- Suspicious user agent detection
- High: Immediate attention required (e.g., confirmed attacks)
- Medium: Suspicious activity (e.g., multiple failed logins)
- Low: Unusual but not necessarily malicious (e.g., new user agents)
- Total alerts (24h)
- Logs processed
- Success rate
- Threat distribution
- Real-time log processing timeline
| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
System health check |
| GET | /api/dashboard |
Dashboard overview data |
| GET | /api/alerts |
Paginated alerts list |
| GET | /api/logs |
Processed logs with pagination |
| POST | /api/analyze |
Analyze custom log entry |
Dashboard Data:
{
"alerts": {
"total": 127,
"high": 15,
"medium": 42,
"low": 70,
"recent": [...]
},
"logs": {
"processed": 15420,
"errors": 23,
"success_rate": 99.85
},
"threats": {
"blocked": 89,
"allowed": 15331
}
}- Log Sources: Extend
agents/log_collector.py - AI Models: Add to
ai-integration/integrator.py - API Endpoints: Extend
server/analyzer.py - Dashboard Components: Add to
dashboard/src/
# Python linting
flake8 .
# JavaScript/React linting
cd dashboard && npm run lint
# Type checking (if using TypeScript)
npm run type-check- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Make changes and add tests
- Run tests:
python3 scripts/run_dev.py test - Commit changes:
git commit -am 'Add feature' - Push to branch:
git push origin feature-name - Create Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: Report bugs and request features via GitHub Issues
- Documentation: Check the
docs/directory for detailed guides - Community: Join discussions in GitHub Discussions
- v2.0: Real-time streaming with Apache Kafka
- v2.1: Advanced ML models (Deep Learning)
- v2.2: Multi-tenant support
- v2.3: Cloud provider integrations (AWS, Azure, GCP)
- v2.4: Advanced visualization and reporting
- v3.0: Distributed deployment with Kubernetes