{"id":19542074,"url":"https://github.com/dikayx/elk-siem","last_synced_at":"2025-09-15T05:31:06.365Z","repository":{"id":258950179,"uuid":"870625952","full_name":"dikayx/elk-siem","owner":"dikayx","description":"A lightweight SIEM solution using the ELK stack, Docker, Winlogbeat and Sysmon for efficient log collection and analysis.","archived":true,"fork":false,"pushed_at":"2024-12-02T13:42:36.000Z","size":1034,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-26T05:21:09.742Z","etag":null,"topics":["docker","elk","siem","sysmon","windows","winlogbeat"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dikayx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-10T11:34:54.000Z","updated_at":"2024-12-21T13:18:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"a20cbf06-bcc9-42ba-822f-33c0e2f3b930","html_url":"https://github.com/dikayx/elk-siem","commit_stats":null,"previous_names":["dikayx/elk-siem"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dikayx/elk-siem","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dikayx%2Felk-siem","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dikayx%2Felk-siem/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dikayx%2Felk-siem/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dikayx%2Felk-siem/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dikayx","download_url":"https://codeload.github.com/dikayx/elk-siem/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dikayx%2Felk-siem/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275208486,"owners_count":25424033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-15T02:00:09.272Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","elk","siem","sysmon","windows","winlogbeat"],"created_at":"2024-11-11T03:13:03.208Z","updated_at":"2025-09-15T05:31:06.357Z","avatar_url":"https://github.com/dikayx.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# elk-siem\n\n![ElasticSearch](https://img.shields.io/badge/-ElasticSearch-005571?style=for-the-badge\u0026logo=elasticsearch)\n![Logstash](https://img.shields.io/badge/-Logstash-005571?style=for-the-badge\u0026logo=logstash)\n![Kibana](https://img.shields.io/badge/-Kibana-005571?style=for-the-badge\u0026logo=kibana)\n![Docker](https://img.shields.io/badge/Docker-2496ED?style=for-the-badge\u0026logo=docker\u0026logoColor=white)\n![Windows](https://img.shields.io/badge/Windows-0078D6?style=for-the-badge\u0026logo=windows\u0026logoColor=white)\n\nThis project is a simple ELK stack-based SIEM (_Security Information and Event Management_) system for Windows endpoints. It is designed to collect, parse, and visualize Windows endpoint logs in a centralized manner by utilizing Sysmon and Winlogbeat.\n\n![Preview](./_assets/preview.png)\n\n## Architecture\n\nThe overall architecture is based on the ELK stack, which consists of Elasticsearch, Logstash, and Kibana. It uses **[Beats](https://www.elastic.co/beats)** as a data shipper to collect logs from several endpoints. In this case, **[Winlogbeat](https://www.elastic.co/beats/winlogbeat)** is used to collect Windows event logs.\n\n\u003e _On Linux, you can use **[Filebeat](https://www.elastic.co/beats/filebeat)** or **[Metricbeat](https://www.elastic.co/beats/metricbeat)** to collect logs and metrics from the operating system and services. For MacOS, **[Auditbeat](https://www.elastic.co/beats/auditbeat)** is available to collect audit events._\n\n![Architecture](./_assets/elk_stack_diagram.png)\n\n-   Via **Winlogbeat**, relay gathers activity information from **sysmon** on the Windows endpoint to **Logstash** on ELK server.\n-   **Logstash** reads, parses, transforms, and relays the data to **Elasticsearch**.\n-   **Kibana** searches and visualizes the information from **Elasticsearch**.\n\n## Getting Started\n\nThis project is designed to be used with [Docker](https://www.docker.com/). To get started, clone this repository and follow the instructions in the [installation guide](./_guides/INSTALLATION.md).\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Inspired from\n\n-   https://github.com/KnightChaser/KnightChaser\n-   https://github.com/deviantony/docker-elk\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdikayx%2Felk-siem","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdikayx%2Felk-siem","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdikayx%2Felk-siem/lists"}