The latest articles on DEV Community by Aziz Q. (@2lba). https://dev.to/2lba https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3939069%2F969b8f49-96fb-44e7-b291-d50b7cd3d3ca.jpeg https://dev.to/2lba en Aziz Q. Mon, 18 May 2026 23:49:57 +0000 https://dev.to/2lba/i-built-an-open-source-siem-that-detects-attacks-in-real-time-5dp2 https://dev.to/2lba/i-built-an-open-source-siem-that-detects-attacks-in-real-time-5dp2 <p>I'm a Mechanical Engineering student but I spend most of my free time on cybersecurity. After a while of just doing CTFs and reading write-ups I wanted to actually build something real.</p> <p>Most open-source SIEM tools are either too basic (a script that greps auth.log) or too heavy to set up without a dedicated team. I wanted something in the middle — something that looks like a real product and deploys with one command.</p> <p>So I built LogHunter.</p> <h2> what it does </h2> <p>The platform has three parts:</p> <p><strong>Go collector</strong> — sits on your servers, tails SSH and Nginx log files, parses them, and ships events in batches to the engine. The binary is about 15MB.</p> <p><strong>Python detection engine</strong> (FastAPI) — runs every event through three detectors:</p> <ul> <li> <strong>Brute force</strong> — tracks failed logins per IP using Redis sliding windows. 5 failures in 5 minutes = alert. (MITRE T1110)</li> <li> <strong>Web attacks</strong> — regex matching for SQL injection, XSS, and path traversal. (MITRE T1190)</li> <li> <strong>Impossible travel</strong> — flags when the same user logs in from two countries within an hour. (MITRE T1078)</li> </ul> <p><strong>React dashboard</strong> — dark theme, live WebSocket feed, SVG world map with animated threat dots, host monitoring, and notification management. You add Slack/Discord/Telegram channels from the UI.</p> <h2> screenshots </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvpl2w0kj6grsogsaki.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flxvpl2w0kj6grsogsaki.png" alt="overview" width="800" height="448"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9xyjaj4qdnj512zgdqkr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9xyjaj4qdnj512zgdqkr.png" alt="threat map" width="800" height="448"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fropws2br5o9esfdznuv7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fropws2br5o9esfdznuv7.png" alt="notifications" width="800" height="448"></a></p> <h2> architecture </h2> <p>Collector (Go) → Engine (FastAPI) → Dashboard (React) → Postgres + Redis → Slack / Discord / Telegram</p> <h2> security </h2> <p>Since it's a security tool I tried to actually do this part right:</p> <ul> <li>API key auth on event ingestion</li> <li>JWT + bcrypt for dashboard access</li> <li>rate limited login (5/min per IP)</li> <li>WebSocket requires valid token</li> <li>CORS restricted to dashboard origin</li> <li>engine refuses to start if secret key is still default</li> <li>databases not exposed outside docker network</li> <li>webhook secrets masked in API responses</li> <li>non-root containers</li> <li>all queries through SQLAlchemy ORM</li> </ul> <h2> try it </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/2lba/loghunter.git cd loghunter cp .env.example .env # generate secrets with: openssl rand -hex 32 docker-compose up --build -d </code></pre> </div> <p>There's a demo script that fills the dashboard with realistic attack data:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chmod +x demo-data.sh<br> ./demo-data.sh<br> </code></pre> </div> <h2> <br> <br> <br> bugs that wasted my time<br> </h2> <ul> <li>passlib doesn't work with bcrypt 5.x. had to switch to raw bcrypt.</li> <li>react-simple-maps doesn't support React 19. rewrote the map with d3-geo.</li> <li>FastAPI CORS middleware doesn't cover error responses. wrote custom middleware.</li> <li>Postgres INET columns return IPv4Address objects that Pydantic can't serialize.</li> <li>special characters in .env passwords break shell scripts.</li> </ul> <h2> what's next </h2> <ul> <li>ML anomaly detection</li> <li>eBPF collector</li> <li>Kubernetes operator</li> <li>mobile alerts app</li> </ul> <p>repo: <a href="https://github.com/2lba/loghunter" rel="noopener noreferrer">github.com/2lba/loghunter</a></p> <p>feedback welcome.</p> security opensource python go