The Nano SIEM project is a minimalist Security Information and Event Management (SIEM) system designed for private home servers.
Nano SIEM has two main functionalities: One is to monitor the uptime of services and send an email notification if a service is unavailable. The second functionality is to provide insight into the access log file of a Traefik reverse proxy. It does this by resolving IPs into coordinates and displaying them on different map views. In the screenshot below you can see an example of the detailed map. On this map, you can click on locations and see the requests that have been made from that location. The requests are ranked according to their likelihood of being a hacking attempt. There is also a second view which specifically lists hacking attempts. A screenshot of this view can also be seen below. These features help to get a better understanding of the security risks on the server.
The software is easy to set up and configure. A pre-built, ready-to-use Docker container can be pulled from Docker Hub. If you need to parse a different log file format feel free to write a new module and open a pull request. Look at the development.md document to get started.
Detailed Map View
Event View
Overwatch View
If you want to check out the implementation with example data you can go to the doc/demo/ folder. Further instructions how to run the application can be found there.
Running the application on your own server is quite easy.
You just have to follow the instruction below
and / or look at the docker-compose file in this
repository. You can pull the ready to use Docker image
from docker pull fabianhk/nano-siem.
DJANGO_SECRET_KEY=<strong secret key with at least 50 characters>
DOMAIN_NAME=<domain name of the server>
URL=<full url e.g. https://www.example.com>
# If you are behind a reverse proxy, you have to set this variable
USE_X_FORWARDED_HOST=TrueOnly for debugging:
If you want to see the logs of the cronjob you have to mount
a log file to: /home/ubuntu/.nano_siem/crontab.log.
MYSQL_DB_NAME=NanoSiem
MYSQL_USER=NanoSiem
MYSQL_PASSWORD=1234
MYSQL_HOST=127.0.0.1# Run migrations from command line
docker exec -it <container name> python3 manage.py migrateThe OpenID Connect login is tested with the Keycloak and Authentik.
In the authorization server you have to create a new client with the redirect URI
https://<DOMAIN_NAME>/oidc/callback/.
OIDC_CLIENT_ID=<CLIENT_ID>
OIDC_CLIENT_SECRET=<CLIENT_SECRET>
OIDC_AUTHORIZATION_ENDPOINT=
OIDC_TOKEN_ENDPOINT=
OIDC_USER_ENDPOINT=
# If OIDC_JWKS_ENDPOINT variable is set and the document can be retrieved with
# a 200 status code, the OIDC login is enabled.
OIDC_JWKS_ENDPOINT=
OIDC_END_SESSION_ENDPOINT=In the Keycloak admin console you have to create a new confidential client
(enable Client authentication) with the following configuration:
# Valid redirect URIs
https://<DOMAIN_NAME>/oidc/callback/
# Valid post logout redirect URIs
https://<DOMAIN_NAME>/oidc/authenticate/If you don't use OpenID Connect for authentication you have to create a superuser account. You can do this by running the following command in the container:
docker exec -it <container name> python3 manage.py createsuperuserNOTIFICATION_EMAIL=<email address>
NOTIFICATION_EMAIL_PASSWORD=<email password>
# The SMTP server has to support STARTTLS
NOTIFICATION_EMAIL_SMTP_SERVER=<smtp server>- Mount Traefik access log to:
/var/log/traefik_access.log - Setup GeoLite2 Free database:
- Create an account at MAXMIND
- Create License file:
GeoIP.conf - Mount license file to:
/etc/GeoIP.conf
# Set default values for private IP addresses (can't be resolved by GeoLite2 db)
PRIVATE_IP_LOCATION_INFO=65.01236,25.46816,Oulu,Finland,DNA The Overwatch module checks whether a service is available or not
every minute. If a service is not available the module will send
an email notification to the configured email address (Requires
the notification settings to be configured).
You can configure as many services as you want
by increasing the numbers at the end of the environment variable.
The pair of name and type has to be unique. The type can be one of
the following: http, tcp, ping or disk.
# HTTP example
OVERWATCH_0=Name,http,https://example.com
OVERWATCH_{i}=Name,http,<url>
# TCP example
OVERWATCH_1=Name,tcp,example.com,22
OVERWATCH_{i}=Name,tcp,<domain/ip>,<port>
# Ping
OVERWATCH_2=Name,ping,example.com
OVERWATCH_{i}=Name,ping,<domain/ip>
# Disk
OVERWATCH_3=Name,disk,/dev/sda1,/media/usb,58d775d2-1fcb-4d10-aee5-cb956a86abd3
OVERWATCH_{i}=Name,disk,<device>,<mount point>,<uuid>Notes on the disk availability check: You have to mount the root filesystem
to /mnt/rootfs as a read-only filesystem.
You can find all configuration options in the file configuration.md.