DEV Community

Cover image for I built an open-source SIEM that detects attacks in real time
Aziz Q.
Aziz Q.

Posted on

I built an open-source SIEM that detects attacks in real time

#security #opensource #python #go

I'm a Mechanical Engineering student but I spend most of my free time on cybersecurity. After a while of just doing CTFs and reading write-ups I wanted to actually build something real.

Most open-source SIEM tools are either too basic (a script that greps auth.log) or too heavy to set up without a dedicated team. I wanted something in the middle — something that looks like a real product and deploys with one command.

So I built LogHunter.

what it does

The platform has three parts:

Go collector — sits on your servers, tails SSH and Nginx log files, parses them, and ships events in batches to the engine. The binary is about 15MB.

Python detection engine (FastAPI) — runs every event through three detectors:

  • Brute force — tracks failed logins per IP using Redis sliding windows. 5 failures in 5 minutes = alert. (MITRE T1110)
  • Web attacks — regex matching for SQL injection, XSS, and path traversal. (MITRE T1190)
  • Impossible travel — flags when the same user logs in from two countries within an hour. (MITRE T1078)

React dashboard — dark theme, live WebSocket feed, SVG world map with animated threat dots, host monitoring, and notification management. You add Slack/Discord/Telegram channels from the UI.

screenshots

overview

threat map

notifications

architecture

Collector (Go) → Engine (FastAPI) → Dashboard (React) → Postgres + Redis → Slack / Discord / Telegram

security

Since it's a security tool I tried to actually do this part right:

  • API key auth on event ingestion
  • JWT + bcrypt for dashboard access
  • rate limited login (5/min per IP)
  • WebSocket requires valid token
  • CORS restricted to dashboard origin
  • engine refuses to start if secret key is still default
  • databases not exposed outside docker network
  • webhook secrets masked in API responses
  • non-root containers
  • all queries through SQLAlchemy ORM

try it 

git clone https://github.com/2lba/loghunter.git
cd loghunter
cp .env.example .env
# generate secrets with: openssl rand -hex 32
docker-compose up --build -d
Enter fullscreen mode Exit fullscreen mode

There's a demo script that fills the dashboard with realistic attack data:

chmod +x demo-data.sh

./demo-data.sh
Enter fullscreen mode Exit fullscreen mode




bugs that wasted my time

  • passlib doesn't work with bcrypt 5.x. had to switch to raw bcrypt.
  • react-simple-maps doesn't support React 19. rewrote the map with d3-geo.
  • FastAPI CORS middleware doesn't cover error responses. wrote custom middleware.
  • Postgres INET columns return IPv4Address objects that Pydantic can't serialize.
  • special characters in .env passwords break shell scripts.

what's next

  • ML anomaly detection
  • eBPF collector
  • Kubernetes operator
  • mobile alerts app

repo: github.com/2lba/loghunter

feedback welcome.

Top comments (0)