sentinel

Sentinel is a lightweight, embedded SIEM log pipeline built in Rust for security operations. It ingests, normalizes, and correlates security events from multiple sources, including Network-Beacon C2 detection output, Cowrie honeypot logs, Suricata EVE alerts, syslog (RFC 5424/3164), and arbitrary JSON, into a common schema, enriches them with GeoIP lookups, threat intelligence feed matching, and MITRE ATT&CK mappings, then stores everything in an embedded DuckDB analytical database for fast time-series queries. A TOML-driven detection rule engine identifies patterns like brute force attempts and credential stuffing, while a correlation engine links events across sources to reconstruct kill chains and flag critical incidents such as a C2 beacon source also attempting honeypot authentication. Outputs include a real-time ratatui TUI dashboard, HMAC-signed webhook alerts, Prometheus metrics, and a full REST API with CSV/JSON export , all running as a single binary with no external service dependencies.