O.W.A.S.A.K.A. SIEM
Open Watchful Air-gapped Security Analysis Kit & Architecture
A zero-trust, air-gapped SIEM platform built for surgical precision monitoring with enterprise-grade security - running locally on dedicated hardware.
Philosophyβ
"A SIEM should be like a butler: invisible until needed, impeccably informed when called upon, and never presumptuous about what matters."
Core Principles:
- Isolation-First Design: Air-gapped by architecture, not configuration
- Defense in Depth: Layered security at every level
- Elegance Over Complexity: Clean UX, minimal footprint, maximum insight
- Signal over Noise: Optimize for what matters
Architecture Overviewβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β O.W.A.S.A.K.A. SIEM β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β Modern Web UI βββββΆβ WebSocket API β β
β β (Svelte + TS) β β (Real-time) β β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββ β
β β Golang Core Engine β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Network Intelligence β Discovery Engine β Analytics β β
β β β’ DNS Resolver β β’ Physical β β’ Correlation β β
β β β’ Proxy/DPI β β’ Virtual β β’ ML Anomaly β β
β β β’ Topology Map β β’ Attack Surfaceβ β’ Alerting β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββ β
β β Secure Storage Layer (NAS Integration) β β
β β β’ Encrypted at rest (AES-256-GCM) β β
β β β’ Immutable audit logs β β
β β β’ Integrity verification (Merkle trees) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
[Physical] [Virtual/Containers] [Network]
Devices Docker/VMs Services
Featuresβ
Network Intelligenceβ
- Custom DNS Resolver with query logging and anomaly detection
- Transparent Proxy with mTLS inspection and protocol detection
- Network Topology Mapper with active/passive discovery
- Deep Packet Inspection for traffic analysis
Asset Discoveryβ
- Multi-layer Discovery: Physical, virtual, containerized assets
- Attack Surface Mapping: ALL ports (0-65535), including dormant services
- Continuous Reconciliation: Detect changes and drift in real-time
- Ghost Port Detection: Find development/debug endpoints
Securityβ
- Air-gapped Architecture: No external network exposure by design
- Self-hosted Firefox with enforced security policies
- Encrypted Storage: AES-256-GCM with Argon2id key derivation
- Immutable Audit Logs: Tamper-proof event recording
User Experienceβ
- Modern, Clean Interface: Dark mode by default
- Real-time Updates: WebSocket-powered live data
- Customizable Dashboards: Widget-based layout
- Low Resource Usage: <500MB memory footprint (idle)
Project Structureβ
O.W.A.S.A.K.A./
βββ cmd/
β βββ oswaka/ # Application entry point
βββ internal/ # Private application logic
β βββ network/ # Network intelligence layer
β β βββ dns/ # DNS resolver & logging
β β βββ proxy/ # Transparent proxy & DPI
β β βββ discovery/ # Network scanning
β β βββ topology/ # Network graph
β βββ discovery/ # Asset discovery engine
β β βββ physical/ # Physical device enumeration
β β βββ virtual/ # VM/container scanning
β β βββ attack_surface/# Attack surface mapper
β β βββ reconciler/ # Change detection
β βββ browser/ # Firefox integration
β β βββ firefox/ # Browser launcher
β β βββ policies/ # Security policy enforcer
β β βββ automation/ # WebDriver integration
β βββ storage/ # Data persistence
β β βββ nas/ # NAS connector
β β βββ crypto/ # Encryption/decryption
β β βββ integrity/ # Verification & checksums
β βββ analytics/ # Intelligence engine
β βββ stream/ # Event processing
β βββ correlation/ # Rule engine
β βββ ml/ # Anomaly detection
βββ pkg/ # Public libraries
β βββ config/ # Configuration management
β βββ logging/ # Structured logging
β βββ metrics/ # Prometheus metrics
βββ web/ # Frontend application
β βββ src/
β β βββ components/ # Svelte components
β β βββ stores/ # State management
β β βββ lib/ # Utilities
β βββ public/ # Static assets
βββ configs/ # Configuration files
β βββ examples/ # Example configurations
β βββ policies/ # Security policies
βββ docs/ # Documentation
βββ architecture/ # Design docs
βββ api/ # API documentation
βββ deployment/ # Deployment guides
Quick Startβ
Prerequisitesβ
Option 1: Nix Flakes (Recommended for Development)
- Nix with Flakes - Reproducible development environment
- All dependencies managed automatically
- See Nix Development Guide
Option 2: Manual Installation
- Go 1.22+ (tested on 1.24.7)
- Node.js 18+ (for web UI)
- Dedicated hardware (no shared environments)
- NAS cluster (for persistent storage)
- Firefox ESR (for browser integration)
Installation with Nix (Recommended)β
# Clone the repository
git clone https://github.com/marcosfpina/O.W.A.S.A.K.A.git
cd O.W.A.S.A.K.A
# Enter development environment (all dependencies auto-installed)
nix develop
# You'll see the O.W.A.S.A.K.A. welcome banner!
# Now you have access to all tools: Go, Node.js, network tools, etc.
# Build the project
oswaka-dev build
# Or use make directly
make build
# Run the SIEM
oswaka-dev run
# Hot reload development mode
oswaka-dev watch
# Show all available commands
oswaka-dev help
What's included in Nix environment:
- Go 1.22+, Node.js 20, Firefox ESR
- Network tools: nmap, tcpdump, tshark, dig
- Go tools: gopls, delve, golangci-lint, air
- Development utilities: jq, ripgrep, bat, htop
- Custom scripts and aliases
See the complete Nix guide for advanced usage.
Installation (Manual)β
# Clone the repository
git clone https://github.com/marcosfpina/O.W.A.S.A.K.A.git
cd O.W.A.S.A.K.A
# Build the project
make build
# Run tests
make test
# Start the SIEM
./bin/oswaka --config configs/examples/default.yaml
Developmentβ
# Install dependencies
make deps
# Run in development mode
make dev
# Run linters
make lint
# Generate documentation
make docs
Configurationβ
Example configuration (configs/examples/default.yaml):
# Server
server:
host: "127.0.0.1"
port: 8080
websocket:
enabled: true
path: "/ws"
max_connections: 1000
# Logging
logging:
level: "info" # debug, info, warn, error
format: "json"
output: "stdout"
# Network intelligence
network:
dns:
enabled: true
listen_address: "127.0.0.1:8053"
upstream_servers: ["1.1.1.1:53", "8.8.8.8:53"]
threat_detection: true
discovery:
enabled: true
scan_interval_minutes: 60
methods: [arp, icmp, mdns]
# Attack surface mapping
discovery:
attack_surface:
enabled: true
port_range: { start: 1, end: 65535 }
banner_grabbing: true
# Analytics
analytics:
stream:
enabled: true
workers: 4
correlation:
enabled: true
sigma_rules_enabled: true
# Metrics
metrics:
prometheus:
enabled: true
listen_address: "127.0.0.1:9090"
# Spectre Fleet event bus
nats_url: "nats://localhost:4222"
Full reference: configs/examples/default.yaml
Development Statusβ
PHASE 0: Foundation & Environment Setup β β
- Repository structure + Go module
- Build system (Makefile + Nix flake with
nix developshell) - Configuration templates and validation (
pkg/config/) - Architecture documentation
PHASE 1: Network Intelligence Layer β β
- High-performance DNS Resolver (
internal/network/dns/) β miekg/dns, upstream forwarding, query logging - Transparent Proxy (
internal/network/proxy/) β HTTP/HTTPS MITM, DPI metadata extraction, TLS cert gen - Network Topology Mapper (
internal/network/topology/) β ARP + mDNS, D3.js graph export - BoltDB Event Persistence (
internal/storage/db/) β bbolt embedded KV store
PHASE 2: Asset Discovery β β
- Virtual/Container discovery β Docker socket scanner + Libvirt XML-RPC + container stats
- Attack surface mapper (
internal/discovery/attack_surface/) β full TCP 0-65535, banner grabbing, IPv6 safe - Physical device enumeration (
internal/discovery/physical/) β sysfs USB + PCI scanning - Continuous reconciliation (
internal/discovery/reconciliation/) β asset drift detection + alerting
PHASE 3: Browser Integration β β
- Hardened Firefox launcher (
internal/browser/firefox/) β profile isolation, enterprise policy enforcement - Browser automation (
internal/browser/automation/) β CDP client, screenshots, HAR capture, navigation history
PHASE 4: Modern Frontend β β
- SvelteKit dashboard (Crimson Red / Glassmorphism design system)
- Real-time WebSocket pipeline (gorilla/websocket + Go event bus)
- D3.js Network Topology Visualization (force-directed graph, live updates)
- Threat Alert HUD with severity classification
PHASE 5: Analytics Engine β β
- In-memory Event Pipeline β Pub/Sub with sliding window counters (1m/5m/15m)
- Correlation engine β rule-based threat detection framework
- ML anomaly detection β Isolation Forest (100 trees) + 7-day behavioral baseline
PHASE 6: SPECTRE Fleet Integration β β
- NATS publisher (
internal/events/publisher.go) β Spectre Event schema - Rust Proxy bridge β NATS EventBus via Axum (ADR-0050)
- JWT Authentication & Rate Limiting
All 19 Services Wired in app.goβ
Every module above is initialized, started, and connected to the central event pipeline. The system boots as a unified process.
Production Readiness β Resolved Gapsβ
| Gap | Was | Now | Commit |
|---|---|---|---|
| Test coverage | <5% (2 tests) | 35 tests across 6 packages | 394f9b6 |
| Correlation rules | 1 hardcoded rule | YAML rule engine + 10 baseline rules | 394f9b6 |
| DNS cache | No cache (TODO) | In-memory TTL cache + background evictor | 394f9b6 |
| ML persistence | Retrained from zero | gob serialization, auto-save/load | 394f9b6 |
| Scanner targets | Hardcoded localhost | Dynamic from BoltDB asset list | 394f9b6 |
| CI/CD | None | GitHub Actions (build+vet+test -race) | 394f9b6 |
Remainingβ
| Gap | Severity | Detail |
|---|---|---|
| OpenTelemetry | LOW | Spectre integration works via NATS; OTel is a nice-to-have |
| Rule hot-reload | LOW | Rules load on startup; restart required for changes |
| Event pipeline tests | MEDIUM | Pipeline + API + topology packages still untested |
Sprint Logβ
Sprint 1: Production Hardening (2026-03-28) β COMPLETEβ
- P1 Test coverage: 35 tests (correlation, ML, stream, BoltDB, attack surface)
- P2 YAML rule engine + 10 detection rules (port scan, DNS tunnel, brute force, ARP spoof, lateral movement, service enum, malicious TLD, suspicious proxy, VM escape, anomalous volume)
- P3 DNS cache, ML model persistence (gob), scanner dynamic targets from asset DB
- P4 GitHub Actions CI,
make releasetarget
Performance Targetsβ
- UI Response Time: <100ms (p95)
- Memory Footprint: <500MB (idle)
- Network Overhead: <5% of bandwidth
- Discovery Scan: <60s for 1000 assets
Security Modelβ
Threat Assumptionsβ
- Physical access is controlled
- NAS is in trusted network segment
- Operator is non-malicious (insider threat out of scope)
Protectionsβ
- Memory-safe language (Golang)
- Input validation everywhere
- No external dependencies at runtime
- Reproducible builds
- Encrypted data at rest
- Immutable audit logs
Contributingβ
This is a personal security infrastructure project. If you're interested in similar work:
- Fork the repository
- Study the architecture in
/docs/architecture - Build your own variant
- Share learnings (not code) back
Licenseβ
Proprietary - Personal security infrastructure Not licensed for commercial use or distribution.
Acknowledgmentsβ
Built with inspiration from:
- The Art of Monitoring (James Turnbull)
- Security Engineering (Ross Anderson)
- Designing Data-Intensive Applications (Martin Kleppmann)
Contactβ
Project maintained by: Marcos Pina Repository: https://github.com/marcosfpina/O.W.A.S.A.K.A
Status: π Pre-Production β Core modules integrated, hardening sprint complete
Last Updated: 2026-03-28