Defensive Security

Nexus SIEM

A full-stack SIEM platform built to monitor, detect, and respond to security threats across Linux servers — real-time dashboard with live log streaming, threat geolocation mapping, automated IP blocking, and NIST-aligned audit controls.

LiveSelf-Hosted
Status

Live

Stack

React · Express · PostgreSQL

Started

2026

nexus.internal/dashboard
8
Dashboard Pages
24/7
Monitoring
Real-Time
WebSocket Streaming
NIST
800-53 Aligned
Capabilities

Features

01

Real-Time Log Streaming

WebSocket pushes log events to all connected clients instantly. Live tailing of auth.log, fail2ban.log, and nginx access logs with zero polling overhead.

02

PQL Query Language

Custom query syntax for filtering logs — field filters, boolean operators, time ranges, negation, and quoted phrases. Export results as CSV or JSON.

03

Automated Threat Response

Autonomous IP blocking via Hetzner Cloud firewall API triggered by brute force detection, port scans, and HTTP abuse patterns. Zero human intervention.

04

Threat Geolocation Map

D3.js world map with animated attack origin dots and country-level aggregation. Attacker IPs resolved to coordinates via ip-api.com batch API.

05

Detection Rules Engine

Full CRUD interface for custom detection rules that alert on log patterns. Define severity, match conditions, and automated response actions from the dashboard.

06

NIST 800-53 Compliance

Audit controls mapped to AC-2, AC-7, AU-6, CM-8, SI-10 — rate limiting, session expiry, input sanitization, audit review, and asset inventory all built in.

System Design

Architecture

Frontend
React 18D3.jsLeafletWebSocketJetBrains Mono
Backend
Node.jsExpressREST APIWebSocket Server
Agent
Bash Agentauth.logfail2ban.lognginx logscURL Ingest
Threat Response
Hetzner Cloud APIAuto IP BlockingBrute Force DetectionPort Scan Detection
Storage
PostgreSQL 16Event StoreDetection RulesAudit Logs
Infrastructure
Docker ComposeHetzner VPSUmami AnalyticsSSL/TLS
Decisions

Stack Rationale

Why Build Your Own SIEM

Commercial SIEMs are built for enterprise budgets. A self-hosted stack gives full control over detection logic, data retention, and cost — while demonstrating the same engineering skills used to evaluate vendor solutions at JPL.

Zero-Dependency Frontend

Single-file React app with in-browser Babel transpilation — no build step, no bundler. ~2,800 lines of UI code served as a single HTML file with D3.js threat mapping and WebSocket streaming.

Autonomous Threat Response

A Node.js module (~700 lines) watches for brute force, port scans, and HTTP abuse patterns, then auto-blocks attacker IPs at the Hetzner firewall level via API — mean time to respond measured in seconds, not minutes.

NIST 800-53 Alignment

Audit controls map directly to NIST control families — AC-2 account management, AC-7 login attempt limiting, AU-6 audit review, CM-8 asset inventory, SI-10 input validation. Compliance is a dashboard view, not a spreadsheet.