SIEM-Lite: A Lightweight Security Information and Event Management Tool SIEM-Lite is a proof-of-concept Python application designed to demonstrate the core functionality of a Security Information and Event Management (SIEM) system. It reads log files, parses the events, and uses correlation rules defined in a configuration file (config.yaml) to detect common security threats using a sliding time window.

This project is now fully functional and successfully demonstrates two critical security alerts.

Features Log Ingestion: Reads logs from multiple defined sources (ssh_auth.log, web_access.log).

Configuration-Driven: All log sources, retention periods, and correlation rules are managed via a single config.yaml file.

Correlation Engine: Uses a sliding time window to detect threshold breaches (e.g., N events in T seconds) from a single source IP address.

Data Handling: Includes event purging based on a configurable retention period.

Robust Parsing: Handles different log formats (SSH, Web Access) and standardizes timestamps for accurate correlation.

Setup and Running Prerequisites You need Python 3.x installed and the pyyaml library.

pip install pyyaml

File Structure Ensure your project structure looks like this:

siem-lite/ ├── siemlite.py # The core Python application ├── config.yaml # Configuration and correlation rules └── logs/ ├── ssh_auth.log # Sample SSH authentication logs └── web_access.log # Sample web server access logs

Execution Run the script from your main directory:

python siemlite.py

Defined Correlation Rules The system is currently configured to detect the following patterns based on the included log samples:

Rule Name

Severity

Description

Trigger Condition

SSH_Brute_Force

HIGH

Multiple failed SSH logins from one IP.

3 failed attempts in 20 seconds.

Web_Path_Scanning

MEDIUM

Repeated 404 errors, indicating enumeration.

2 x 404 status codes in 10 seconds.