A lightweight, modular, open-source SIEM (Security Information and Event Management) platform for real-time log analysis and threat monitoring — built for SOC and blue-team workflows.
SentinelSIEM aims to give small security teams and hobbyist blue-teamers a self-hostable, no-frills alternative to heavyweight commercial SIEM platforms. It ingests logs and events, normalizes and stores them, and surfaces alerts through a simple web dashboard — without requiring a dedicated data engineering team to stand up.
The project is intentionally modular: the pieces that ingest and process logs, the API that serves data, and the dashboard that visualizes it are separated so any piece can be swapped, scaled, or run independently.
SentinelSIEM uses GitHub's built-in project management features to plan, track, and review development.
- GitHub Issues are used to track features, bugs, enhancements, and technical tasks.
- GitHub Projects are used to organize work by sprint and monitor development progress.
- Milestones group issues into planned releases (e.g.,
v0.2,v0.3). - Pull Requests are required for all code changes and serve as the primary code review mechanism.
The docs/ directory is reserved for long-lived technical documentation such as architecture, engineering decisions, API documentation, roadmaps, and design artifacts. To avoid duplicate sources of truth, task tracking documentation is maintained exclusively through GitHub Issues rather than Markdown files within the repository.
- 🔍 Real-time log ingestion and event processing pipeline
- 🧩 Modular architecture — backend, processor, and frontend run as independent services
- 🔐 JWT-based authentication for API access
- 📊 Web dashboard for browsing events and reviewing alerts
- 🗄️ MongoDB for flexible, schema-light event storage
- ⚙️ Configurable via environment variables for easy deployment
Some features above reflect the project's direction — check open issues and the
docsfolder for the current state of implementation.
The repository is organized into independent modules:
SentinelSIEM/
├── backend/ # REST API — auth, data access, alert logic
├── processor/ # Log ingestion & event processing pipeline
├── frontend/ # Web dashboard (UI)
├── docs/ # Project documentation
├── .env.sample # Example environment configuration
└── docker-compose.yml # Multi-service local orchestration
At a high level, logs flow from your sources into the processor, which normalizes and forwards events to the backend, which persists them to MongoDB and exposes them via API to the frontend dashboard.
- Database: MongoDB
- Backend: Node.js/Express-style REST API, JWT authentication
- Frontend: Web-based dashboard
- Orchestration: Docker Compose
- Node.js (LTS recommended)
- MongoDB (local instance or Atlas)
- Docker & Docker Compose (optional, for containerized setup)
- Git
git clone https://github.com/Ovotron-net/SentinelSIEM.git
cd SentinelSIEMCopy the sample environment file and update the values for your setup:
cp .env.sample .envMONGO_URI=mongodb://localhost:27017/sentinelsiem
JWT_SECRET=replace_me
PORT=5000
LOG_LEVEL=INFOJWT_SECRET with a strong, unique secret before deploying anywhere beyond your local machine.
Install dependencies for each module you plan to run:
cd backend && npm install
cd ../frontend && npm install
cd ../processor && npm installOption A — Docker Compose (recommended for local development):
docker compose up --buildOption B — Run modules individually:
# In separate terminals
cd backend && npm start
cd processor && npm start
cd frontend && npm startThe backend API will be available at http://localhost:5000 (or the PORT you configured), and the frontend dashboard will be served on its own local port.
backend/— handles authentication, exposes REST endpoints, and talks to MongoDB.processor/— responsible for ingesting raw logs/events and normalizing them before they reach the backend.frontend/— the dashboard UI for reviewing events and alerts.docs/— supplementary documentation; check here for deeper dives as the project grows.
- Expand detection rule support
- Add alerting integrations (email, Slack, webhook)
- Improve dashboard visualizations
- Add role-based access control
- Publish full API documentation
Have an idea? Open an issue to discuss it.
Contributions are welcome! Please read CONTRIBUTING.md for guidelines on how to get set up, our branching/commit conventions, and how to submit a pull request.
This project is licensed under the MIT License.
Built and maintained by Bhavya Kantawala with the help of Ovotron-net and other contributors. Thanks to everyone who files issues, submits PRs, or spreads the word.