Skip to content
/ nano_siem Public

A minimalist SIEM designed to analyse Traefik access logs and check service availability.

hub.docker.com/r/fabianhk/nano-siem

License

AGPL-3.0 license
5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fabian-hk/nano_siem

BranchesTags

Repository files navigation

Nano SIEM

The Nano SIEM project is a minimalist Security Information and Event Management (SIEM) system designed for private home servers.

Nano SIEM has two main functionalities: One is to monitor the uptime of services and send an email notification if a service is unavailable. The second functionality is to provide insight into the access log file of a Traefik reverse proxy. It does this by resolving IPs into coordinates and displaying them on different map views. In the screenshot below you can see an example of the detailed map. On this map, you can click on locations and see the requests that have been made from that location. The requests are ranked according to their likelihood of being a hacking attempt. There is also a second view which specifically lists hacking attempts. A screenshot of this view can also be seen below. These features help to get a better understanding of the security risks on the server.

The software is easy to set up and configure. A pre-built, ready-to-use Docker container can be pulled from Docker Hub. If you need to parse a different log file format feel free to write a new module and open a pull request. Look at the development.md document to get started.

Detailed Map View Screenshot Detailed Map

Event View Screenshot of Event View

Overwatch View Screenshot of Overwatch View

Demo

If you want to check out the implementation with example data you can go to the doc/demo/ folder. Further instructions how to run the application can be found there.

Configuration

Running the application on your own server is quite easy. You just have to follow the instruction below and / or look at the docker-compose file in this repository. You can pull the ready to use Docker image from docker pull fabianhk/nano-siem.

[Required] Django Settings

DJANGO_SECRET_KEY=<strong secret key with at least 50 characters>
DOMAIN_NAME=<domain name of the server>
URL=<full url e.g. https://www.example.com>

# If you are behind a reverse proxy, you have to set this variable
USE_X_FORWARDED_HOST=True

Only for debugging: If you want to see the logs of the cronjob you have to mount a log file to: /home/ubuntu/.nano_siem/crontab.log.

Database

MYSQL_DB_NAME=NanoSiem
MYSQL_USER=NanoSiem
MYSQL_PASSWORD=1234
MYSQL_HOST=127.0.0.1
# Run migrations from command line
docker exec -it <container name> python3 manage.py migrate

Authentication

OpenID Connect

The OpenID Connect login is tested with the Keycloak and Authentik. In the authorization server you have to create a new client with the redirect URI https://<DOMAIN_NAME>/oidc/callback/.

OIDC_CLIENT_ID=<CLIENT_ID>
OIDC_CLIENT_SECRET=<CLIENT_SECRET>

OIDC_AUTHORIZATION_ENDPOINT=
OIDC_TOKEN_ENDPOINT=
OIDC_USER_ENDPOINT=
# If OIDC_JWKS_ENDPOINT variable is set and the document can be retrieved with
# a 200 status code, the OIDC login is enabled.
OIDC_JWKS_ENDPOINT=
OIDC_END_SESSION_ENDPOINT=

In the Keycloak admin console you have to create a new confidential client (enable Client authentication) with the following configuration:

# Valid redirect URIs
https://<DOMAIN_NAME>/oidc/callback/

# Valid post logout redirect URIs
https://<DOMAIN_NAME>/oidc/authenticate/

ALTERNATIVE or FALLBACK: Default Django Authentication

If you don't use OpenID Connect for authentication you have to create a superuser account. You can do this by running the following command in the container:

docker exec -it <container name> python3 manage.py createsuperuser

Notification Settings

NOTIFICATION_EMAIL=<email address>
NOTIFICATION_EMAIL_PASSWORD=<email password>
# The SMTP server has to support STARTTLS
NOTIFICATION_EMAIL_SMTP_SERVER=<smtp server>

Traefik Module

  1. Mount Traefik access log to: /var/log/traefik_access.log
  2. Setup GeoLite2 Free database:
    1. Create an account at MAXMIND
    2. Create License file: GeoIP.conf
    3. Mount license file to: /etc/GeoIP.conf

[Optional] IP Address to Coordinate Config

# Set default values for private IP addresses (can't be resolved by GeoLite2 db)
PRIVATE_IP_LOCATION_INFO=65.01236,25.46816,Oulu,Finland,DNA

Overwatch Module

The Overwatch module checks whether a service is available or not every minute. If a service is not available the module will send an email notification to the configured email address (Requires the notification settings to be configured). You can configure as many services as you want by increasing the numbers at the end of the environment variable. The pair of name and type has to be unique. The type can be one of the following: http, tcp, ping or disk.

# HTTP example
OVERWATCH_0=Name,http,https://example.com
OVERWATCH_{i}=Name,http,<url>

# TCP example
OVERWATCH_1=Name,tcp,example.com,22
OVERWATCH_{i}=Name,tcp,<domain/ip>,<port>

# Ping
OVERWATCH_2=Name,ping,example.com
OVERWATCH_{i}=Name,ping,<domain/ip>

# Disk
OVERWATCH_3=Name,disk,/dev/sda1,/media/usb,58d775d2-1fcb-4d10-aee5-cb956a86abd3
OVERWATCH_{i}=Name,disk,<device>,<mount point>,<uuid>

Notes on the disk availability check: You have to mount the root filesystem to /mnt/rootfs as a read-only filesystem.

All Configuration Options

You can find all configuration options in the file configuration.md.

About

A minimalist SIEM designed to analyse Traefik access logs and check service availability.

hub.docker.com/r/fabianhk/nano-siem

Topics

docker log-analysis uptime-monitor siem traefik availability-monitor event-notifications monitoring-tool security-tools log-analytics traefik2

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

5 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

2 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages