SSH Auth Log Pipeline

damn it was easier than i thought
so i made the complete SSH authentication failure and success events pipeline
__
what happens is the lil bro (agent) reads the systemd journal logs (yes it only supports this for now T__T) by executing the command journalctl -f -u sshd -o json --since now which basically makes it run the journalctl like tail command so it streams out the logs only when they are ingested.
__
the logs are in JSON format which then gets is handled by Auth Collector in agent, which has parser functions for password failure and success
then its just the normal event pipeline (create event -> send to queue -> worker sends the event to backend)
after that it is displayed on dashboard

next

threshold based rules (first hardcoded, then proper rule table and stuff)

Detections

lol this was fun too

the entire detection pipeline

so basically i started Detections work to complete the SOC pipeline (agent -> events -> detections)
and since i have no rule engine setup yet so i hardcoded a Sus Process rule in detection function
it bascially checks events within a time window of 30 seconds and checks their name for sus process names (which is just an array for now)

and the detection function runs on a Background Scheduler every 30 seconds in backend (not agent, i dont want)

and after that it stores the detection in the Detections table which stores things like: Rule Name, Triggered Events, Context, Status, etc

and the end it is displayed beautifully (i love this so much T___T) on the dashboard

thingys made

1. Backend:

• Detection model, schemas, etc
• /detections/ - gives list of all detections
• /detections/{id} - gives the specific detection

1. Dashboard:

• /detections - shows the all the detections in a table, needs more stuff like filter
• /detections/[id] - shows detection detail (looks REALLY good)

Next

see the obvious next step is a rule system to store detection rules but i wont do that, see i am planning to add 2 types of rules just like all the SOC, they are: directing matching rules and threshold based rules
and i will build both at once but there is nothing yet which can be used with threshold based rules, and i dont want to edit the rule system again and again
so i am planning to make authentication based events first and then work on rules, then process events can be tested with direct matching rules and authentication events can be tested with threshold based rules like SSH Brute force attack

Per-event info

so i added a Sheet component from shadcn, which shows all the info of event like context and all the stuff

not much just this, and uhhh it was a pain yeah every frontend thing is a pain.

More Details in Process Event

yeah just the title, not much tonight as i have to study

so before this it was just PID and Name of process, which is useless, so i made it store this instead:

type ProcessInfo struct {
	PID        int
	PPID       int
	Name       string
	CmdLine    string
	User       string
	Cwd        string
	CreateTime string
}

and i made the event table in dashboard show only first 2 fields in context and just say “+x more” at the end.

next will be a sheet component to show the events in detail

Process Collector and Event Feed

I’ve been waiting for this lol this is was so fun cuz i was locked the hell in
okay so hear me out

so in agent i made a very basic process collector which has 2 maps and every 10 seconds it updates the currProcesses map and compares it with prevProcesses the resulting differences are the process created/terminated. basic stuff.

and then after that it creates an event struct and uses the event.Emit() function which just adds the event to a queue (go channel), and another function RunEventWorker() just has a loop which runs till events queue have events in them, and calls the api.SendEvent() function with the event, and that api function is very dynamic cuz the structure of event payload itself is very dynamic so all types of events can be sent from that small function

and the coolest part about this whole pipeline is that it follows best practice of code, each function does only one thing, the collector just collects and emits the event, the event function only adds event to queue, then event worker runs api function with those events, everything is so organised!!!

and the feed is semi-live, it just polls every 10 seconds.

i REALLY had fun coding this lmao i love go :3

next: probably more processes related events or logs

Events endpoints and display

problem i faced

wow this was a pain T___T
so basically when i started working on the backend to receive events from lilbro i planned something like this

lil bro -> gets logs -> normalizes and understands it -> sends to backend -> dashboard displays it

and i created the neccessary endpoints and database tables schemas what not bruh and halfway through i realized: “damn what about logs??” and it snapped. i realized i wasted like 2 hours on this cuz this system was absolutely trash and not afforadable on resources wise cuz we cant shove a whole detection engine in agent, and we gotta think about it from analyst side too cuz they gonna see logs for investigations and cant just depends on pre-build event types

better system

so then i decided to go with this kinda system:

agent will see logs -> normalizes them -> sends to backend with logs and events in this kinda structure:

        {
            "id": 1,
            "host": {
                "id": "",
                "hostname": ""
            },
            "log": {
                "source": "",
                "raw": "",
                "ingested_at": ""
            },
            "event_type": "",
            "context":{},
            "created_at": ""
        },

this would allow the backend to store the events and also the logs related, it also allows saving events with logs cuz not every event is made from a log

and i think this is a nice system, cuz now we can show logs, events, and have a detection engine in backend to create alerts based on rules

so to build this i created:

1. Logs table, stores logs
2. Events table, stores events with log ids
3. /events/ - global event feed
4. POST /agents/id/event - endpoint for agents to send events

and on the dashboard side i have made /events which displays all events from all hosts in a table, it also has a filter for selecting hosts and/or event types, and also a limit.

next

next i will be working on sending events from lil bro

Agents details page

so added /agents/[id] in dashboard, which required the same in backend too so i created the /{id} route in backend annd did the SQL magic to get the data, and also moved the schemas into their own folder cuz it was looking hella messy.
i am using basic cards in displaying agents data, the top cards are mock data for now but soon i will addd real data in them, currently it looks like this.

Agents Table

so i made /agents and it displays the online agents in a nice table!
i used the shadcn table component to make that, it fetches /agents/ on backend every 10 seconds and gets the data ofc handling with the goat tanstack query.

one stupid thing i encountered was the fact that i was not handling the agent status in backend properly, once it turned online it forever stays online so i went to work on that first and found out that its lowk not a good idea to update and store the online/offline status on database, better way would be to just use last_seen and check if the agent’s last heartbeat was more than 2 minutes ago, if thats true just make the json data display “offline” in /agents endpoint, ez.
i will ofc add more status types so i will handle it in a better way, but thats in future.

and one more stupid thing i came across, and boy call me an idiot cuz i was PULLING my hair trying to figure out why the table wont update even after the backend endpoint is giving correct status, i thought so many things like cache and shit 😭️ and after like 20 minutes i saw that instead of refetch_interval: 10000 which is 10 seconds, i accidently made a typo and set it to 100000 which is 100 seconds 😭️

well it works now, and works good.

next: event storage setup probably?

Counting Agents

so time to show real data on dashboard
first i installed tanstack cuz i am not going to fetch everywhere the same data, tanstack query will fetch, cache, store, refetch and handle all that, its a server state management lib.

so using tanstack i created the neccessary functions for it to query the server and created the dashboard card component which will display the number of agent.
i am also using shadcn skeleton to show the loading part.

here’s how the cards look

next: agent table

Woah hella changes

Dashboard shell: first version

so i made this as first version, took a lot of time cuz i am super trash in frontend, like SUPER trash and i didnt wanted to use AI on it. so after more than a whole hour i completed the first version. it was so hard to make the collapsing thingy work because the style will always mess up and wont go properly inside when clicked on collapsed button. after a shit ton of effort it looked okay and was done.
the first image is how the first version looked

Dashboard shell: final version

after showing my friend and he gave it 2/10, and it trigged my seeking perfection self 💔️ and friend suggested tweakcn for shadcn colors and told me to use sidebar 8 of shadcn sidebar (i didnt even know sidebars existed in shadcn lmao)
so i used that and hella time on that too cuz it was still complicated a bit, shadcn gave so many files i was lowk confused which type of nav to use for what things, but at the end it worked and looks beautiful and better!
second image is the current one!

Other minor changes

added cors and stuff in backend so it allows request from dashboard, its just localhost for now but will have to find a permanent solution to that

next thing i will do is display the lil bros info

heartbeats 💓

now the lil bro (agent) can send heartbeats!
wow so i am new to go and just discovering the beautiful package based folder structure, makes a lot of sense!

so i made a function to send api request to, a function to construct heartbeat by getting system info and UUID is passed from GetConfig() function, and a function to get sys info which includes hostname, os name, and kernel version

at first i thought of adding os version instead but getting os version was kinda a pain so i just switched it to kernel version, might add os version later

image 1: heartbeats being sent
image 2: data from postgres, you can see the registered_at vs last_seen (which gets updated from heartbeats)

GO GO LIL BRO

making the lil bro (agent) with go!
so i setup the go environment, i am actually a beginner in go lol i am using this project as an excuse to learn go :3

so i wrote some basic code in main.go to get started, and made internals/config.go which has 3 functions EnsureConfig(), CreateConfig(), and GetConfig(), when the code runs it checks with ensure function and creates new config if not found in ~/.config/lilbro/config.json. and Get config is just get config lol, using simple json marshalling with go

the screenshot shows the config file that got saved

Heartbeats on backend!

so the lilbros (agents) will send heartbeats every few minutes and to handle that i first made a /register endpoint where the agents will first register and then start sending hearbeats but then thought that agents will also restart and i will have to treat their registration attempt as heartbeat, so there a thin line between /register and /heartbeat so i just merged them into /heartbeat lol

so now agent generates a UUID locally and sends it along side other metadata about the system to backend, and backend checks if the agent exists then it just updates the last_seen in database and other metadata and if it doesnt then it creates a new agent, simple as hell

again, dont have much to show right now as no UI lol

Switched to SQLAlchemy from psycopg

hi i am back
did it because i started working on /agents/registration endpoint but the psycopg.connect(…) bla bla looked hella weird everywhere so i just ragequit and installed SQLAlchemy, then made the models (only agent table for now) and setup a simple function get_db() to get a quick db session, fixed my problem ezzz

not using alembic rn tho, will do in future

i dont have anything to show so i will just show this ig?

HIIIIII, first dev log!

so i started working on the docker setup first so i can spin up a postgres container, so i wrote a docker compose file, also had some problems cuz postgres-18 wouldnt take the /var/lib/bla/bla path, that was a small issue tho fixed that quick.

then i started working on the connection part so i used psycopg on python backend to connect to my pgsql container

after that i had to make tables, which took the most time lmao cuz it was hard to decide how should i do it, first i thought i should use SQLAlchemy and the whole database migration setup but that felt too much for now, so i went the usual way using psycopg and decided to create tables using CREATE TABLE IF NOT EXISTS, even with that my dumb ahh spent time making sure if i wrote the init_db() function the best way lmao, but at
the end it worked nice and created the table

after that i just setup fastapi and created / endpoint which just returns “hello fellas :3”