Python SIEM
A lightweight command-line Security Information and Event Management tool that parses SSH, web, firewall, and Windows logs, runs detection rules, stores alerts in MySQL, and integrates directly with the IOC database for automatic threat correlation.
You point it at a log file or directory. It reads every line, auto-detects the log format, parses each entry into a structured event, and runs a set of detection rules across all events. Anything suspicious generates an alert stored in MySQL for ongoing querying, filtering, and export.
If the IOC database tool is also set up on the same machine, the SIEM automatically cross-references every IP address it encounters against your known-bad indicator list. A match fires a critical alert immediately. No additional configuration required — it detects the database and uses it silently if available.
It also works with no database at all. Point it at a suspicious log file and it will parse and run detection rules, printing any alerts to the terminal for quick ad-hoc analysis without any setup.
- ► SSH auth logs (Linux /var/log/auth.log and macOS)
- ► Apache and Nginx access logs (combined log format)
- ► Firewall and iptables logs
- ► Windows Event Log text exports
Log format is auto-detected. You do not need to specify the type manually.
python3 siem.py ingest --log /var/log/auth.log
# Ingest an entire directory
python3 siem.py ingest --dir /var/log
# View all critical alerts
python3 siem.py alerts --severity critical
# Terminal dashboard
python3 siem.py dashboard
# Export alerts to CSV
python3 siem.py export --output report.csv
# List all detection rules
python3 siem.py rules
|
v
siem.py ingest # parses logs, runs rules, fires alerts
|
+-- checks ioc_db.py # cross-references every IP seen
|
v
MySQL alerts table # stores everything persistently
|
v
siem.py dashboard # terminal overview of alert state
siem.py export # CSV report for sharing or documentation
If the SIEM surfaces a malicious IP, you can feed it back into the IOC database so every future ingestion automatically flags it as a known-bad indicator. The VT Bulk Enricher sits upstream, letting you validate suspicious IPs before committing them to the database.
Commercial SIEMs like Splunk or Microsoft Sentinel are powerful but they are also expensive, complex to configure, and completely opaque about what they are actually doing under the hood. Building one from scratch forced me to understand exactly how log parsing works, what makes a detection rule reliable versus noisy, and how alert storage and querying needs to be designed to actually be useful during an investigation.
The IOC database integration was a deliberate design choice rather than an afterthought. In a real SOC environment, threat intelligence feeds directly into detection. Having the SIEM automatically check every IP it sees against a known-bad list mirrors how production detection pipelines actually work, just at a scale that is understandable and auditable.
The three tools together represent a complete, lightweight threat hunting workflow: enrich indicators with the VT Bulk Enricher, store confirmed ones in the IOC database, and let the SIEM surface matches automatically during log analysis.