Open-source Security Information and Event Management (SIEM) system for small to medium businesses. Provides real-time threat detection, anomaly analysis, and centralized security monitoring using ELK Stack, Grafana, and machine learning.
- Real-time Log Ingestion: Centralized log collection from multiple sources via Logstash
- Elasticsearch Search: Fast indexing and searching of security events
- Kibana Visualization: Comprehensive log analysis and visualization
- Grafana Dashboards: Advanced security metrics and threat indicators
- Anomaly Detection: ML-based detection using Isolation Forest algorithm
- Threat Intelligence: Pattern-based threat detection and correlation
- Alerting System: Real-time alerts with deduplication and rules engine
- π₯ Automated Response: Automatic IP/port blocking for detected threats
- Containerized Deployment: Docker Compose for easy deployment
- 100% Open Source: No licensing costs, self-hosted
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Log Sources β
β (Web Servers, Firewalls, OS Logs, Applications) β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββΌβββββββββββ
β Logstash β
β (Log Processing) β
ββββββββββββ¬βββββββββββ
β
ββββββββββββΌβββββββββββββββββββββββββββ
β Elasticsearch (Data Lake) β
β - siem-logs-* (Raw Events) β
β - siem-threats-* (Detected) β
β - siem-anomalies-* (Anomalies) β
β - siem-alerts-* (Alerts) β
ββββββββββββ¬βββββββββββββββββββββββββββ
β
ββββββββββββ΄βββββββββββ¬βββββββββββ¬βββββββββββ
β β β β
βββββΌβββββ βββββββΌβββ ββββββΌββββββ ββββΌββββββββββ
β Kibana β β Grafanaβ β Anomaly β β Threat β
β (Viz) β β(Dash) β βDetection β β Detection β
ββββββββββ ββββββββββ ββββββββββββ ββββββββββββββ
β β
ββββββββββββββββββΌβββββββββββββ
β β
βββββΌβββββββββββββββββΌβββββ
β Redis (Queue/Cache) β
βββββ¬βββββββββββββββββ¬ββββββ
β β
βββββΌβββββββββββββββββΌβββββ
β Alerting Engine β
β (Rules, Notifications) β
ββββββββββββββββββββββββββββ
| Component | Purpose | Technology | Port |
|---|---|---|---|
| Elasticsearch | Data storage & indexing | Elasticsearch 8.11 | 9200 |
| Kibana | Log visualization | Kibana 8.11 | 5601 |
| Logstash | Log processing pipeline | Logstash 8.11 | 5000 |
| Grafana | Security dashboards | Grafana 10.2 | 3000 |
| Redis | Caching & message queue | Redis 7 | 6379 |
| Anomaly Detector | ML-based anomaly detection | Python 3.11 | Internal |
| Threat Detector | Pattern-based threat detection | Python 3.11 | Internal |
| Alerting Engine | Alert processing & routing | Python 3.11 | Internal |
| Automated Response | β‘ NEW Auto-blocks malicious IPs/ports | Python 3.11 | Internal |
- Docker & Docker Compose
- 4+ GB RAM
- 20+ GB disk space
- Linux/macOS/Windows with Docker Desktop
- Clone and navigate to project:
cd /path/to/AI-SIEM- Update credentials (Important for production!):
# Edit docker-compose.yml and update these environment variables:
# - ELASTIC_PASSWORD
# - GF_SECURITY_ADMIN_PASSWORD
# - REDIS_PASSWORD- Create Redis data directory:
mkdir -p redis/data
chmod 755 redis/data- Start all services:
docker-compose up -d- Verify services:
docker-compose ps
# All services should show "Up"| Service | URL | Default Credentials |
|---|---|---|
| Kibana | http://localhost:5601 | elastic / change_me_elastic_password |
| Grafana | http://localhost:3000 | admin / change_me_grafana_password |
| Elasticsearch | http://localhost:9200 | elastic / change_me_elastic_password |
| Logstash | http://localhost:9600 | (No auth) |
Location: logstash/pipeline/main.conf
Configure inputs for your log sources:
input {
# TCP input
tcp {
port => 5000
codec => json
}
# File input
file {
path => "/var/log/siem/*.log"
}
}
Supported formats: JSON, Syslog, Plain text, CSV
Location: grafana/dashboards/
Pre-configured dashboards:
- Security Threat Overview: Real-time threat statistics
- (Add more dashboards in
grafana/dashboards/directory)
Location: alerting/config/alert_rules.yml
Customize alert severity, thresholds, and notification channels.
Location: anomaly-detection/main.py
Configuration options:
- Contamination rate: Percentage of anomalies (default: 10%)
- Retraining interval: Model retraining frequency (default: 6 hours)
- Feature selection: Change extracted features from logs
echo '{"event_type": "connection_attempt", "src_ip": "192.168.1.100", "dst_ip": "8.8.8.8", "src_port": 54321, "dst_port": 443, "packet_count": 10, "byte_count": 1024, "severity": "low"}' | nc localhost 5000Install Filebeat on source systems:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/auth.log
- /var/log/syslog
output.logstash:
hosts: ["<SIEM-SERVER-IP>:5000"]Configure your devices/applications to send syslog to port 5000:
facility: local0
server: <SIEM-SERVER-IP>
port: 5000
protocol: udp
Algorithm: Isolation Forest (scikit-learn)
What it detects:
- Unusual network traffic patterns
- Abnormal packet rates
- Unexpected data transfer volumes
- Statistical outliers in event characteristics
Process:
- Fetches historical logs (24 hours)
- Trains model on baseline behavior
- Monitors incoming events for deviations
- Retrains every 6 hours with fresh data
Configuration: anomaly-detection/main.py
Method: Pattern matching and rule-based detection
What it detects:
- Brute Force Attacks: 5+ failed logins in 10 minutes
- Port Scanning: 20+ unique ports in 5 minutes
- DDoS Attacks: 1000+ requests from single IP in 1 minute
- Privilege Escalation: Unauthorized elevated access attempts
- Malware Signatures: Known malicious file hashes
- Data Exfiltration: Suspicious outbound data transfers
Configuration: threat-detection/main.py
Features:
- Real-time alert generation
- Alert deduplication (prevent spam)
- Rule-based filtering
- Redis-based queueing
- Extensible notification channels
Configuration: alerting/config/alert_rules.yml
Method: Firewall-based IP and port blocking using iptables
What it blocks:
- Critical/High Severity Threats: Automatically blocks source IPs
- Critical threats: 120 minutes block duration
- High threats: 60 minutes block duration
- Port Scanning Attacks: Blocks targeted ports temporarily (30 min)
- DDoS Attacks: Blocks attack source and protects ports
Features:
- β Automatic IP blocking with iptables
- β Port-based blocking for service protection
- β Auto-expiration (blocks automatically unblock after duration)
- β All actions logged to Elasticsearch
- β Dry-run mode for testing (no actual blocking)
- β Real-time monitoring via Redis pub/sub
Configuration:
# In docker-compose.yml:
- AUTO_BLOCK_ENABLED=true # Enable/disable auto-blocking
- BLOCK_DURATION_MINUTES=60 # Default block duration
- DRY_RUN_MODE=false # true = log only, false = actually blockTesting:
# Run test suite to simulate attacks
python3 test_blocking.py
# Check blocked IPs
docker logs ai-siem-response --tail 50
# View blocking actions in Elasticsearch
curl "localhost:9200/siem-response-actions-*/_search?pretty"See: automated-response/README.md for detailed documentation
siem-logs-YYYY.MM.DD: Raw security eventssiem-threats-*: Detected threatssiem-anomalies-*: Detected anomaliessiem-alerts-*: Generated alerts
Delete old indices to manage disk space:
# Delete indices older than 30 days
curl -X DELETE http://localhost:9200/siem-logs-$(date -d '30 days ago' +%Y.%m.%d)curl http://elastic:change_me_elastic_password@localhost:9200/_cluster/health# All services
docker-compose logs -f
# Specific service
docker-compose logs -f anomaly-detector
docker-compose logs -f threat-detector
docker-compose logs -f alerting-engine| Issue | Solution |
|---|---|
| Port already in use | Change port mapping in docker-compose.yml |
| Out of memory | Increase Docker memory limit, reduce ES_JAVA_OPTS |
| No logs appearing | Check Logstash configuration, verify log format |
| Slow queries | Index size too large - configure log rotation |
| Detection not working | Ensure at least 1 hour of data in Elasticsearch |
For SMB environments (1M events/day):
ES_JAVA_OPTS: -Xms512m -Xmx512m # Adjust heap size
indices.memory.index_buffer_size: 30%pipeline.batch.size: 125 # Increase for throughput
pipeline.batch.delay: 50 # Milliseconds
queue.type: persisted # Enable persisted queue-
Change default credentials immediately:
- Elasticsearch admin password
- Grafana admin password
- Redis password
-
Network isolation:
- Restrict access to ports 5601, 3000, 9200
- Use firewall rules
- Deploy in internal network only
-
Enable HTTPS:
- Configure Elasticsearch SSL
- Set up Kibana proxy with HTTPS
-
Regular backups:
- Backup Elasticsearch data
- Export Grafana dashboards
- Version control alert rules
AI-SIEM/
βββ docker-compose.yml # Main configuration
βββ elasticsearch/
β βββ config/elasticsearch.yml
β βββ data/ # Persistent data
βββ kibana/
β βββ config/kibana.yml
βββ logstash/
β βββ config/logstash.yml
β βββ pipeline/main.conf # Log processing rules
βββ grafana/
β βββ config/grafana.ini
β βββ dashboards/ # Dashboard definitions
β βββ provisioning/ # Automated setup
βββ anomaly-detection/
β βββ Dockerfile
β βββ main.py # Detection engine
β βββ requirements.txt
βββ threat-detection/
β βββ Dockerfile
β βββ main.py # Threat patterns
β βββ requirements.txt
βββ alerting/
β βββ Dockerfile
β βββ main.py # Alert processor
β βββ config/alert_rules.yml # Alert configuration
β βββ requirements.txt
βββ logs/ # Log input directory
βββ sample-data/ # Test data
βββ redis/ # Redis data
βββ README.md
1. Server logs failed auth β Logstash ingests
2. Logstash parses & enriches β Elasticsearch indexes
3. Threat detector queries: failed_auth > 5 in 10min
4. Match found β Threat alert generated
5. Alerting engine β Redis pub/sub β Elasticsearch
6. Dashboard updated β Security team notified
1. Network traffic logged β Logstash processes
2. Stored in Elasticsearch siem-logs-*
3. Anomaly detector fetches last 24hrs β trains model
4. New logs arrive β scored against model
5. Unusual packet rate detected β anomaly_score = -0.75
6. Alert generated & published β stored in siem-alerts-*
7. Grafana dashboard reflects new alert
Daily:
- Monitor dashboard for alerts
- Check service health:
docker-compose ps
Weekly:
- Review logs:
docker-compose logs --tail 100 - Verify model accuracy (anomaly detection)
- Test alerting system
Monthly:
- Clean old indices (>90 days)
- Review and update threat signatures
- Analyze detection accuracy
Single-node to multi-node Elasticsearch:
- Increase
node.nameinelasticsearch.yml - Update docker-compose for multiple ES instances
- Configure cluster settings
Increase log retention:
- Adjust ILM policies
- Add more storage volumes
- Upgrade disk space
- Elasticsearch Documentation
- Kibana User Guide
- Grafana Documentation
- Logstash Pipeline Syntax
- scikit-learn Anomaly Detection
This project uses open-source components:
- Elasticsearch & Kibana: SSPL License
- Logstash: SSPL License
- Grafana: AGPL License
- Python libraries: Various open-source licenses
Contributions welcome! Areas for enhancement:
- Additional detection algorithms
- Integration with more log sources
- Advanced visualization dashboards
- Notification channel integrations (Slack, Email)
- Custom ML models
For issues or questions:
- Check troubleshooting section
- Review service logs
- Check Elasticsearch health
- Verify connectivity between services
Last Updated: December 2025 Version: 1.0.0