The Nano SIEM project is a minimalist Security Information and Event Management (SIEM) system designed for private home servers.

Nano SIEM has two main functionalities: One is to monitor the uptime of services and send an email notification if a service is unavailable. The second functionality is to provide insight into the access log file of a Traefik reverse proxy. It does this by resolving IPs into coordinates and displaying them on different map views. In the screenshot below you can see an example of the detailed map. On this map, you can click on locations and see the requests that have been made from that location. The requests are ranked according to their likelihood of being a hacking attempt. There is also a second view which specifically lists hacking attempts. A screenshot of this view can also be seen below. These features help to get a better understanding of the security risks on the server.

The software is easy to set up and configure. A pre-built, ready-to-use Docker container can be pulled from Docker Hub. If you need to parse a different log file format feel free to write a new module and open a pull request. Look at the development.md document to get started.

Detailed Map View

Event View

Overwatch View

If you want to check out the implementation with example data you can go to the doc/demo/ folder. Further instructions how to run the application can be found there.

Running the application on your own server is quite easy. You just have to follow the instruction below and / or look at the docker-compose file in this repository. You can pull the ready to use Docker image from docker pull fabianhk/nano-siem.

DJANGO_SECRET_KEY=<strong secret key with at least 50 characters>
DOMAIN_NAME=<domain name of the server>
URL=<full url e.g. https://www.example.com>

# If you are behind a reverse proxy, you have to set this variable
USE_X_FORWARDED_HOST=True

Only for debugging: If you want to see the logs of the cronjob you have to mount a log file to: /home/ubuntu/.nano_siem/crontab.log.

MYSQL_DB_NAME=NanoSiem
MYSQL_USER=NanoSiem
MYSQL_PASSWORD=1234
MYSQL_HOST=127.0.0.1

# Run migrations from command line
docker exec -it <container name> python3 manage.py migrate

The OpenID Connect login is tested with the Keycloak and Authentik. In the authorization server you have to create a new client with the redirect URI https://<DOMAIN_NAME>/oidc/callback/.

OIDC_CLIENT_ID=<CLIENT_ID>
OIDC_CLIENT_SECRET=<CLIENT_SECRET>

OIDC_AUTHORIZATION_ENDPOINT=
OIDC_TOKEN_ENDPOINT=
OIDC_USER_ENDPOINT=
# If OIDC_JWKS_ENDPOINT variable is set and the document can be retrieved with
# a 200 status code, the OIDC login is enabled.
OIDC_JWKS_ENDPOINT=
OIDC_END_SESSION_ENDPOINT=

In the Keycloak admin console you have to create a new confidential client (enable Client authentication) with the following configuration:

# Valid redirect URIs
https://<DOMAIN_NAME>/oidc/callback/

# Valid post logout redirect URIs
https://<DOMAIN_NAME>/oidc/authenticate/

If you don't use OpenID Connect for authentication you have to create a superuser account. You can do this by running the following command in the container:

docker exec -it <container name> python3 manage.py createsuperuser

NOTIFICATION_EMAIL=<email address>
NOTIFICATION_EMAIL_PASSWORD=<email password>
# The SMTP server has to support STARTTLS
NOTIFICATION_EMAIL_SMTP_SERVER=<smtp server>

1. Mount Traefik access log to: /var/log/traefik_access.log
2. Setup GeoLite2 Free database:
   1. Create an account at MAXMIND
   2. Create License file: GeoIP.conf
   3. Mount license file to: /etc/GeoIP.conf

# Set default values for private IP addresses (can't be resolved by GeoLite2 db)
PRIVATE_IP_LOCATION_INFO=65.01236,25.46816,Oulu,Finland,DNA 

The Overwatch module checks whether a service is available or not every minute. If a service is not available the module will send an email notification to the configured email address (Requires the notification settings to be configured). You can configure as many services as you want by increasing the numbers at the end of the environment variable. The pair of name and type has to be unique. The type can be one of the following: http, tcp, ping or disk.

# HTTP example
OVERWATCH_0=Name,http,https://example.com
OVERWATCH_{i}=Name,http,<url>

# TCP example
OVERWATCH_1=Name,tcp,example.com,22
OVERWATCH_{i}=Name,tcp,<domain/ip>,<port>

# Ping
OVERWATCH_2=Name,ping,example.com
OVERWATCH_{i}=Name,ping,<domain/ip>

# Disk
OVERWATCH_3=Name,disk,/dev/sda1,/media/usb,58d775d2-1fcb-4d10-aee5-cb956a86abd3
OVERWATCH_{i}=Name,disk,<device>,<mount point>,<uuid>

Notes on the disk availability check: You have to mount the root filesystem to /mnt/rootfs as a read-only filesystem.

You can find all configuration options in the file configuration.md.