This is a custom-built Security Information and Event Management (SIEM) system designed for learning and lab environments. It collects logs from network devices and firewalls, parses them for security events, analyzes threats, and provides a web-based dashboard for monitoring.
Network Devices/Firewalls
↓
Syslog (UDP)
↓
Log Collector
↓
Log Parser (Pattern Matching)
↓
Threat Analyzer
↓
SQLite Database
↓
Web Dashboard
- syslog_collector.py - Receives syslog messages via UDP
- log_parser.py - Parses logs and identifies security events
- siem_database.py - Stores logs and alerts in SQLite
- dashboard.py - Flask web application for visualization
- siem_main.py - Integrates all components
# Python 3.8 or higher
python3 --version
# Install required packages
pip3 install flask# Make scripts executable
chmod +x *.py
# Start the SIEM system
python3 siem_main.pyThe system will start:
- Syslog receiver on port 5140 (UDP)
- Web dashboard on http://localhost:5000
Point your network devices to send syslog messages to your SIEM server:
Example: Cisco Router/Switch
configure terminal
logging host <SIEM_IP> transport udp port 5140
logging trap informational
logging facility local4
end
Example: pfSense Firewall
- Go to Status > System Logs > Settings
- Enable "Send log messages to remote syslog server"
- Add remote log server:
<SIEM_IP>:5140 - Select log levels to send
Example: Linux iptables
# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "IPTABLES-DROP: " --log-level 4
# Configure rsyslog to forward
echo "*.* @<SIEM_IP>:5140" >> /etc/rsyslog.d/50-default.conf
systemctl restart rsyslog# Use different ports
python3 siem_main.py --syslog-port 514 --web-port 8080
# Note: Port 514 requires root/sudo
sudo python3 siem_main.py --syslog-port 514Use the included test script to generate sample security events:
python3 test_siem.pyOr manually send test syslog messages:
# Install logger (if not available)
# apt-get install bsdutils # Debian/Ubuntu
# yum install util-linux # RHEL/CentOS
# Send test messages
logger -n localhost -P 5140 "DENY src=10.0.0.5 dst=192.168.1.100 port=22 proto=tcp"
logger -n localhost -P 5140 "Authentication failed for user admin from 203.0.113.50"
logger -n localhost -P 5140 "Port scan detected from 198.51.100.25"import socket
import time
def send_test_log(message):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(message.encode(), ('localhost', 5140))
sock.close()
# Test firewall block
send_test_log('<133>Jan 1 12:00:00 firewall01 DENY src=10.0.0.5 dst=192.168.1.100 port=22')
time.sleep(1)
# Test auth failure
send_test_log('<133>Jan 1 12:01:00 server01 Authentication failed for user admin from 203.0.113.50')
time.sleep(1)
# Test port scan
send_test_log('<133>Jan 1 12:02:00 firewall01 Port scan detected from 198.51.100.25')
print("Test logs sent!")Access the dashboard at http://localhost:5000
- Total events in last 24 hours
- New alerts requiring attention
- High priority alerts
- Top event categories
- View all active security alerts
- Filter by severity (critical, high, medium, low)
- Filter by status (new, investigating, resolved)
- Update alert status
- View recent security events
- Search logs by keyword
- Filter by event category
- Real-time updates (30-second refresh)
The SIEM can detect the following event types:
| Event Type | Pattern | Severity | Example |
|---|---|---|---|
| Firewall Block | DENY/BLOCK/DROP traffic | Medium | DENY src=X dst=Y port=Z |
| Auth Failure | Failed login attempts | Medium | Authentication failed for user X |
| Brute Force | Multiple auth failures | High | 5+ failures from same IP |
| Port Scan | Multiple port accesses | High | 10+ unique ports from same IP |
| DDoS Attack | Flood/DDoS patterns | Critical | DDoS detected from X |
| VPN Connection | VPN login events | Low | VPN connected user X |
| Config Change | Configuration modifications | Medium | Configuration changed |
- Threshold: 5 failed authentication attempts
- Window: Per unique IP + username combination
- Action: Generate high-severity alert
- Threshold: 10 unique destination ports
- Window: Per source IP
- Action: Generate high-severity alert
Add custom detection rules by editing log_parser.py:
# Add new pattern in LogParser.__init__()
self.patterns['custom_event'] = {
'pattern': re.compile(r'YOUR_REGEX_PATTERN', re.IGNORECASE),
'fields': ['field1', 'field2'],
'severity': 'high',
'category': 'custom_category'
}- Stores all incoming log entries
- Fields: timestamp, source_ip, hostname, message, event_type, severity
- Indexed on: timestamp, source_ip, event_category
- Stores generated security alerts
- Fields: alert_id, title, severity, status, timestamp
- Statuses: new, investigating, resolved, false_positive
- Tracks known malicious/suspicious IPs
- Fields: ip_address, reputation, threat_count
The dashboard exposes REST API endpoints:
GET /api/statistics - Dashboard statistics
GET /api/logs - Recent logs
GET /api/alerts - Security alerts
GET /api/search?q=keyword - Search logs
POST /api/alerts/:id/status - Update alert status
Example API usage:
# Get statistics
curl http://localhost:5000/api/statistics
# Search logs
curl http://localhost:5000/api/search?q=denied
# Get high severity alerts
curl http://localhost:5000/api/alerts?severity=high-
Threat Intelligence Integration
- Add IP reputation lookups (AbuseIPDB, VirusTotal)
- Integrate threat feeds
-
Advanced Analytics
- Machine learning for anomaly detection
- Baseline behavior analysis
- Statistical correlation
-
Improved Storage
- Migrate to PostgreSQL or Elasticsearch
- Implement log rotation
- Add data retention policies
-
Alerting Mechanisms
- Email notifications (SMTP)
- Slack/Discord webhooks
- SMS alerts (Twilio)
- PagerDuty integration
-
Compliance Reporting
- Generate compliance reports
- Export logs in standard formats
- Audit trail functionality
- Multi-tenant Support
- User Authentication & RBAC
- Custom Dashboard Widgets
- Playbook Automation (SOAR)
- Network Traffic Analysis (NetFlow)
- Check if syslog server is running:
netstat -ulnp | grep 5140- Test connectivity:
nc -u localhost 5140
# Type a test message and press Enter- Check firewall rules:
# Allow UDP port 5140
sudo ufw allow 5140/udpSQLite has limited concurrency. For production use, migrate to PostgreSQL:
# In siem_database.py, replace SQLite with PostgreSQL
import psycopg2- Check Flask is running:
ps aux | grep dashboard.py - Check port availability:
netstat -tlnp | grep 5000 - Try accessing:
curl http://localhost:5000
- This SIEM is designed for learning environments
- SQLite is not suitable for production
- No authentication on web dashboard
- No encryption for log transmission
Consider:
- Add HTTPS/TLS for web dashboard
- Implement user authentication (OAuth, SAML)
- Use enterprise database (PostgreSQL, Elasticsearch)
- Enable TLS for syslog (port 6514)
- Implement log signing/integrity checks
- Add backup and disaster recovery
- Deploy in high-availability configuration
This is a learning project! Enhance it by:
- Adding more detection patterns
- Implementing new alert rules
- Creating custom dashboard widgets
- Improving parsing accuracy
- Adding support for more log formats
- RFC 5424: Syslog Protocol
- MITRE ATT&CK Framework
- OWASP Top 10
- CIS Critical Security Controls
- ELK Stack (Elasticsearch, Logstash, Kibana)
- Wazuh (Open-source SIEM)
- Graylog (Log management)
- AlienVault OSSIM
Educational use only. Use at your own risk.
Happy Learning! 🛡️🔍