A local, zero-install web dashboard for viewing Rustinel alerts.
Rustinello reads the NDJSON alert files produced by Rustinel straight from a local folder and
renders them as a filterable, searchable, real-time dashboard. It is a single static page — open
index.html in your browser and you're done. No server, no build step, no package manager, no
network calls for your data (alerts never leave your machine).
- Reads alerts straight off disk via the File System Access API — pick a folder, and every
alerts.json.*file in it is parsed. - Live auto-refresh every 10 s (toggle Live off to pause).
- Non-disruptive updates — incoming alerts are held behind a "N new alerts available" banner so the table doesn't jump under you; click Load new alerts to merge them. The chart updates immediately.
- Time-series chart — stacked bar chart of alerts per rule, with buckets that adapt (minute / hour / day) to the visible time range. Toggle with Chart.
- Severity at a glance — Critical / High / Medium / Low stat cards; click one to filter by that severity.
- Rich filtering — combine severity, date, and engine pills with full-text search across rule name, process, command line, parent, and executable. An active-filter count shows on the Filters button.
- Duplicate grouping — identical alerts collapse into a single row with a count badge; expand to see every individual event.
- Detailed drill-down — expand any row for structured metadata: timestamps, process & parent details, PE fields, host OS, and event category/severity.
- Rule muting — silence a noisy rule with one click; muted rules persist across reloads and are listed in a removable chip bar.
- Light & dark themes — sun/moon toggle that follows your OS preference until you override it; your choice is remembered.
- One-click reset — clear all state and return to the folder picker.
- Open
index.htmldirectly in Chrome 86+ or Edge 86+. - Click Select logs folder in the centre of the page.
- Grant read access to the directory containing Rustinel's
alerts.json.*files. - The dashboard loads and refreshes every 10 s. Toggle Live off to pause, Chart on to see the timeline.
That's the whole setup — there is nothing to compile, install, or serve.
Firefox / Safari: the File System Access API is Chromium-only. Other browsers will show a "not supported" message.
Permission denied on Linux? If Rustinel's log files are root-owned, Chromium's sandbox may be unable to read them. Either
sudo chown $USER:$USER /path/to/alerts.json.*, or run Rustinel without full root usingsetcap. The dashboard surfaces this hint inline when it hits the error.
Alert files must be named alerts.json.* (e.g. alerts.json.1, alerts.json.2024-01-15) and
contain newline-delimited JSON (NDJSON) — one alert object per line — using flat
ECS-style dotted keys. Malformed lines
are skipped silently.
{
"@timestamp": "2025-01-15T12:34:56.789Z",
"edr.rule.severity": "High",
"edr.rule.engine": "sigma",
"rule.name": "Suspicious PowerShell Execution",
"rule.description": "Encoded command line observed",
"event.action": "process_creation",
"event.category": ["process"],
"event.severity": 73,
"process.name": "powershell.exe",
"process.pid": 1234,
"process.command_line": "powershell.exe -enc ...",
"process.executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"process.pe.description": "Windows PowerShell",
"process.pe.product": "Microsoft Windows Operating System",
"process.parent.name": "cmd.exe",
"process.parent.pid": 5678,
"process.parent.executable": "C:\\Windows\\System32\\cmd.exe",
"process.parent.command_line": "cmd.exe /c ...",
"host.os.type": "windows"
}Only @timestamp and rule.name are really needed to populate a row; every other field is
optional and simply renders as — (or is omitted) when absent. edr.rule.severity is expected
to be one of Critical, High, Medium, or Low — anything else is shown as unknown.
Everything runs client-side in a single page:
| File | Role |
|---|---|
index.html |
Page markup and layout; loads Tailwind via CDN. |
app.js |
All application logic — data loading, filtering, grouping, chart, rendering, and event wiring. Organized into clearly commented sections. |
styles.css |
Custom styles, severity colour tokens, and the light-theme overrides. |
chart.min.js |
A vendored local copy of Chart.js (no CDN). |
State that survives reloads is kept in localStorage: muted rules (mutedRules) and the theme
preference (rustinello-theme).
Alert data is read locally through the browser's File System Access API and rendered in-page. It is never uploaded anywhere. The only outbound requests the page makes are for the Tailwind CDN stylesheet/script; Chart.js is bundled locally.