Enterprise security monitoring at 1/50th the cost. Edge aggregation + 99% data compression means a $18,000/mo Splunk workload runs for $367/mo.
QuickLogs was built by Networkers Home β India's leading Cisco + cybersecurity training institute (Bengaluru, since 2005). It's the same SIEM stack our students learn in the Cybersecurity Pro program β and used by our 4-month paid SOC internship cohort to triage real customer logs.
The reason most SOC analyst training stops at "watch Splunk demos" is cost. QuickLogs is the open-source SIEM Networkers Home uses to give every student real hands-on time on log analysis without burning a $50K Splunk POC budget. Book a demo class β
Compare top cybersecurity institutes: Top 10 Cybersecurity India Β· Top 10 SOC Analyst Bangalore Β· Top 10 Cloud Security India
Enterprise-grade security monitoring with 98% cost reduction through edge aggregation and 99% data compression
Traditional SIEMs send every raw event to the cloud. EdgeAI sends only summaries.
| Metric | Traditional SIEM | EdgeAI Telemetry | Savings |
|---|---|---|---|
| Network Traffic | 10,000 events/sec | 100 summaries/sec | 99% |
| Storage | 100% raw events | 1% summaries only | 99% |
| Compute | Parse 10k events | Parse 100 summaries | 99% |
| Monthly Cost | $18,000 | $367 | 98% |
- SSO/OIDC - Azure AD, Okta, Google Workspace, Auth0, Keycloak
- MFA/TOTP - Google Authenticator, Authy support
- RBAC - Granular role-based access control
- API Keys - Scoped access for integrations
- Audit Logging - Complete activity trail with integrity verification
- Multi-channel alerts - Email, Slack, Webhook, PagerDuty
- Smart rules - Risk score thresholds, incident-based, anomaly detection
- Rate limiting - Cooldown periods and max alerts per hour
- Alert management - Acknowledge, resolve, track history
- Role management - Admin, Analyst, Viewer, Security Engineer
- User provisioning - Manual or SSO JIT (Just-in-Time)
- Permission system - Resource-level access control
- Session management - Secure JWT tokens with expiration
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SINGLE VM (Phase 1 - MVP) β
β βββββββββββββββββββ βββββββββββββββββββββββββββββββββ β
β β Edge Agent β β Cloud Server β β
β β (Same VM) βββββββββΆβ - gRPC Receiver β β
β β β 1% β - Summary Storage β β
β β β’ 60s Windows β trafficβ - AI Correlation β β
β β β’ Local ML β β - Graph Analysis β β
β β β’ zstd (5:1) β β - Web Dashboard β β
β βββββββββββββββββββ β - SSO/OIDC Auth β β
β β - Alerting Engine β β
β β - Audit Logging β β
β βββββββββββββββββββββββββββββββββ β
β β
β Test: cat events.jsonl | ./edge-agent --test-file /data/... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ Phase 2 (Client Testing)
βββββββββββββββββββ
β Client Server β (Separate Linux VM)
β - Edge Agent β β’ Runs edge binary
β - Sends 1% β β’ Buffer on disconnect
βββββββββββββββββββ β’ Auto-reconnect
- Docker & Docker Compose
- 4 vCPU, 8GB RAM VM
- PostgreSQL 14+
cd "siem ai"
# Run database migrations
docker-compose exec postgres psql -U edgeai -d edgeai -f /migrations/001_initial_schema.sql
docker-compose exec postgres psql -U edgeai -d edgeai -f /migrations/003_sso_alerting_audit.sql
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f cloud-server
docker-compose logs -f edge-agent
# Access dashboard
open http://localhost:3000- Email:
admin@example.com - Password:
admin123 β οΈ Change immediately in production!
Network Ingress: $5,000/mo (bandwidth)
Storage: $10,000/mo (raw events)
Compute: $3,000/mo (parsing)
βββββββββββββββββββββββββββββββββ
Total: $18,000/mo
Network Ingress: $18/mo (1% of traffic)
Storage: $150/mo (summaries only)
Compute: $199/mo (correlation only)
βββββββββββββββββββββββββββββββββ
Total: $367/mo
SAVINGS: 98% ($17,633/mo)
- Binary Size: <10MB
- Memory: <50MB RAM
- CPU: <5% single core
- Language: Rust
// 60-second tumbling window aggregation
WindowAggregator::new(window_seconds: 60)
// Local anomaly detection (Isolation Forest)
AnomalyDetector::new(threshold: 70.0)
// Offline resilience (SQLite buffer)
LocalBuffer::new("/var/lib/edgeai/buffer.db")- HTTP API: REST for dashboard (port 8080)
- gRPC: Binary protocol for agents (port 50051)
- Storage: PostgreSQL for summaries
- Correlation: Rule-based AI engine
- Auth: JWT + SSO/OIDC + MFA
message EventSummary {
bytes identity_hash = 1; // 16 bytes (not string)
uint32 event_type_id = 2; // 4 bytes (lookup)
uint32 count = 3; // 4 bytes
uint64 window_start = 4; // 8 bytes
map<uint32, uint32> severity_dist = 6;
bytes compressed_samples = 8; // zstd compressed
}
// Total: ~50 bytes vs 500 bytes JSON = 10x smaller- Azure Active Directory / Microsoft Entra ID
- Okta
- Google Workspace
- Auth0
- Keycloak
- Any OIDC-compliant provider
# 1. Configure provider in database
psql -U edgeai -d edgeai -c "
INSERT INTO sso_providers (name, provider_type, client_id, client_secret, issuer_url, scopes, is_active, is_default)
VALUES ('Azure AD', 'oidc', 'your-client-id', 'your-secret', 'https://login.microsoftonline.com/{tenant}/v2.0', ARRAY['openid','email','profile'], true, true);
"
# 2. Enable SSO
export ENABLE_SSO=true
export JWT_SECRET=your-256-bit-secretSee SSO_OIDC_SETUP.md for detailed configuration.
curl -X POST http://localhost:8080/api/v1/alerting/rules \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "High Risk Score Alert",
"condition_type": "risk_score_threshold",
"risk_score_min": 70,
"cooldown_minutes": 60,
"channel_ids": ["uuid-of-slack-channel"]
}'- Email (SMTP)
- Slack (webhooks)
- Microsoft Teams
- PagerDuty
- Generic Webhook
# Generate 1 million test events
cd test-data
python3 generate_events.py --count 1000000 --output events.jsonl
# Run through edge agent
docker-compose exec edge-agent ./edgeai-agent \
--test-file /data/events.jsonl \
--server http://cloud-server:50051
# Expected: 10,000 raw events β 100 summaries (100:1 reduction)# Check metrics endpoint
curl http://localhost:8080/api/v1/dashboard/metrics | jq
# Expected response:
{
"success": true,
"data": {
"data_reduction_percent": 99.0,
"summaries_received": 100,
"anomalies_received": 5
}
}siem-ai/
βββ edge-agent/ # Edge aggregation agent (Rust)
β βββ src/
β β βββ aggregator.rs # 60s window aggregation
β β βββ detector.rs # Isolation Forest ML
β β βββ buffer.rs # SQLite offline buffer
β β βββ sender.rs # gRPC client
β β βββ main.rs
β βββ Cargo.toml
β
βββ cloud-server/ # Cloud aggregation receiver (Rust)
β βββ src/
β β βββ grpc.rs # gRPC service
β β βββ correlation.rs # AI correlation engine
β β βββ storage.rs # Summary storage
β β βββ auth/ # Authentication & SSO
β β β βββ mod.rs # JWT & middleware
β β β βββ oidc.rs # OIDC/OAuth2 client
β β β βββ rbac.rs # Role-based access control
β β β βββ mfa.rs # TOTP MFA
β β βββ alerting/ # Alert rules & notifications
β β βββ audit/ # Audit logging
β β βββ api/ # REST API endpoints
β βββ Cargo.toml
β
βββ shared/proto/ # Protobuf definitions
β βββ telemetry.proto
β
βββ frontend/ # React + TypeScript dashboard
β βββ src/
β β βββ pages/
β β β βββ Dashboard.tsx
β β β βββ Incidents.tsx
β β β βββ UserManagement.tsx # User & role management
β β β βββ AlertConfig.tsx # Alert rules & channels
β β β βββ AuditLogs.tsx # Audit log viewer
β β β βββ VendorComparison.tsx
β β β βββ UserGuide.tsx
β β βββ components/
β β βββ App.tsx
β βββ package.json
β
βββ migrations/ # PostgreSQL schema
β βββ 001_initial_schema.sql
β βββ 003_sso_alerting_audit.sql
β
βββ test-data/ # Test event generators
βββ docker-compose.yml # Single VM orchestration
βββ SSO_OIDC_SETUP.md # SSO configuration guide
| Phase | Timeline | Change |
|---|---|---|
| Phase 1 | Now | Single VM, co-located agent (MVP) |
| Phase 2 | Week 5-6 | Agent moves to client servers |
| Phase 3 | Month 3 | Kafka streaming, multiple agents |
| Phase 4 | Month 6 | Distributed graph DB |
| Feature | Description |
|---|---|
| Identity Hashing | Blake3 (16-byte hashes, not plain text) |
| Transport | gRPC with mTLS |
| Compression | zstd with bound memory |
| Buffer | Local SQLite encrypted at rest |
| Authentication | JWT tokens with expiration |
| SSO/OIDC | Azure AD, Okta, Google, Auth0, Keycloak |
| MFA | TOTP (Google Authenticator, Authy) |
| RBAC | Granular resource-level permissions |
| Audit | Tamper-evident activity logging |
| API Keys | Scoped access tokens |
| Metric | Target | Dashboard |
|---|---|---|
| Data Reduction | 99% | β Shows real-time % |
| Events/Sec | 10k β 100 | β Before/after |
| Agent CPU | <5% | π Via heartbeat |
| Agent Memory | <50MB | π Via heartbeat |
| Active Users | - | β User management |
| Alert Status | - | β Alert dashboard |
| Audit Events | - | β Audit log viewer |
| Feature | Splunk | Datadog | EdgeAI (This) |
|---|---|---|---|
| Data Ingestion | $$$/GB | $$$/GB | 99% less |
| Raw Storage | Required | Required | Not stored |
| Edge Processing | β | β | β Core feature |
| Local ML | β | β | β Isolation Forest |
| Offline Buffer | β | β | β SQLite |
| SSO/SAML | β | β | β OIDC |
| MFA | β | β | β TOTP |
| RBAC | β | β | β Granular |
| Alerting | β | β | β Multi-channel |
| Audit Logging | β | β | β Integrity hashed |
| Cost at 10k EPS | $20k/mo | $18k/mo | $367/mo |
- SSO/OIDC Setup Guide - Configure single sign-on
- User Guide - In-app documentation
- Vendor Comparison - Feature comparison
POST /api/v1/auth/login
POST /api/v1/auth/sso/login/:provider_id
POST /api/v1/auth/sso/callback/:provider_id
POST /api/v1/auth/mfa/setup
POST /api/v1/auth/mfa/enable
GET /api/v1/users
POST /api/v1/users
GET /api/v1/roles
GET /api/v1/permissions
GET /api/v1/alerting/rules
POST /api/v1/alerting/rules
GET /api/v1/alerting/channels
POST /api/v1/alerting/alerts/:id/acknowledge
GET /api/v1/audit/logs
GET /api/v1/audit/stats
GET /api/v1/audit/export
- Test with:
docker-compose up - Check cost metrics on dashboard
- Verify 99% data reduction
- Run migrations for new features
MIT - See LICENSE file
Built for 5-year production survival with 98% cost savings.