{"id":50294400,"url":"https://github.com/tdiprima/loghawk","last_synced_at":"2026-05-28T08:01:19.758Z","repository":{"id":352875297,"uuid":"1211658931","full_name":"tdiprima/LogHawk","owner":"tdiprima","description":"Lightweight SIEM alternative for Linux fleets: rsyslog forwarding, mTLS, and real-time security event detection","archived":false,"fork":false,"pushed_at":"2026-05-19T16:06:04.000Z","size":749,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-19T17:34:53.437Z","etag":null,"topics":["centralized-logging","incident-response","linux","log-monitoring","security","syslog"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tdiprima.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-15T16:05:10.000Z","updated_at":"2026-05-19T16:07:20.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/tdiprima/LogHawk","commit_stats":null,"previous_names":["tdiprima/loghawk"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/tdiprima/LogHawk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2FLogHawk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2FLogHawk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2FLogHawk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2FLogHawk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tdiprima","download_url":"https://codeload.github.com/tdiprima/LogHawk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tdiprima%2FLogHawk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33599465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-28T02:00:06.440Z","response_time":99,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["centralized-logging","incident-response","linux","log-monitoring","security","syslog"],"created_at":"2026-05-28T08:01:18.482Z","updated_at":"2026-05-28T08:01:19.749Z","avatar_url":"https://github.com/tdiprima.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# LogHawk 🦅\n\nLogHawk is a lightweight Linux security observability toolkit for collecting, searching, and alerting on system logs across a small fleet.\n\nIt uses `rsyslog` with mutual TLS to forward logs from monitored servers to a central collector, then provides practical tools for real-time alerts, incident investigation, pipeline health checks, and AI-ready event exports.\n\n## Why It Exists\n\nLogHawk is built for environments where full SIEM platforms are too heavy, but raw SSH access and scattered `/var/log` files are not enough.\n\nIt demonstrates:\n\n- Secure centralized log collection with rsyslog over TLS\n- Linux operations across Ubuntu/Debian and RHEL-style systems\n- Security-focused detection for auth, sudo, kernel, cron, auditd, and service events\n- Small, dependency-light Python and Bash tooling\n- Operational polish: installers, systemd service files, config loading, log rotation, and health checks\n\n## Features\n\n- 🔐 mTLS log forwarding from agents to a central collector\n- Per-host remote log storage under `/var/log/remote/\u003chostname\u003e/`\n- Real-time alerting with severity levels and duplicate suppression\n- Optional email alerts through the local mail transfer agent\n- JSONL alert output for downstream tools\n- Search shortcuts for common investigations\n- Pipeline freshness checks for missing or stale logs\n- AI export tool that turns suspicious log activity into structured JSON or a ready-to-paste LLM prompt\n\n## Repository Layout\n\n```text\ncentral/   Collector setup, rsyslog receiver config, and certificate helpers\nagent/     Agent installer and rsyslog forwarding config\ntools/     Alerting, search, export, config, daemon, and pipeline utilities\n```\n\n## Requirements\n\n- Linux host with `systemd`\n- `rsyslog`\n- `openssl` for certificate generation\n- Python 3.9+\n- `apt`, `dnf`, or `yum` on target hosts\n\nPython tooling uses the standard library only.\n\n## Quick Start\n\nGenerate a private CA, server certificate, and client certificates:\n\n```bash\n./central/generate-certs.sh \\\n  --server-name log-server.example.com \\\n  --server-address 10.0.0.10 \\\n  --client-name web-01 \\\n  --client-name db-01\n```\n\nCopy certificates to the collector and agents:\n\n```bash\n./central/copy-certs.sh log-server.example.com --role collector\n./central/copy-certs.sh web-01 --role agent --client-name web-01\n```\n\nInstall the central collector:\n\n```bash\nsudo ./central/install-central.sh --allow-from 10.0.0.0/24\n```\n\nInstall an agent on each monitored server:\n\n```bash\nsudo ./agent/install-agent.sh log-server.example.com\n```\n\nInstall the alert daemon on the collector:\n\n```bash\nsudo ./tools/install-alerts-daemon.sh \\\n  --email security@example.com \\\n  --file '/var/log/remote/*/*.log' \\\n  --min-severity HIGH \\\n  --json-out /var/log/loghawk-alerts.jsonl\n```\n\n## Common Commands\n\nWatch logs interactively:\n\n```bash\nsudo python3 tools/watch-alerts.py --file '/var/log/remote/*/*.log'\n```\n\nSearch for SSH failures:\n\n```bash\nsudo ./tools/search-logs.sh ssh-fails\n```\n\nSearch for activity from an IP:\n\n```bash\nsudo ./tools/search-logs.sh from-ip 192.168.1.50\n```\n\nCheck whether remote logs are stale:\n\n```bash\nsudo ./tools/check-log-pipeline.sh --minutes 15\n```\n\nExport suspicious events as JSON:\n\n```bash\nsudo python3 tools/export-for-ai.py --hours 24 --out /tmp/loghawk-events.json\n```\n\nGenerate an LLM-ready incident prompt:\n\n```bash\nsudo python3 tools/export-for-ai.py --hours 2 --llm-prompt\n```\n\n## Configuration\n\nMost tools read `/etc/loghawk/loghawk.conf` when present. A sample config is available at:\n\n```text\ntools/loghawk.conf.example\n```\n\nYou can override the config path with:\n\n```bash\nLOGHAWK_CONFIG=/path/to/loghawk.conf\n```\n\nPython tools also support:\n\n```bash\n--config /path/to/loghawk.conf\n```\n\n## Alert Coverage\n\nLogHawk includes detection patterns for:\n\n- SSH failed logins, invalid users, successful logins, and root logins\n- Sudo activity and denied privilege escalation attempts\n- User, group, password, SSH, and sudo configuration changes\n- Kernel panics, disk errors, OOM kills, segfaults, and hardware errors\n- Cron changes and root cron execution\n- auditd authentication, anomaly, policy, and user management events\n- systemd service failures, DNS issues, firewall drops, and disk-full events\n\n## Project Status\n\nThis is a practical security engineering project. Review detection patterns, retention, firewall rules, certificate handling, and alert routing before using it in production. Read the [docs](./docs).\n\n## License\n\nMIT License. See [LICENSE](LICENSE).\n\n\u003cbr\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftdiprima%2Floghawk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftdiprima%2Floghawk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftdiprima%2Floghawk/lists"}