VSentry is a cloud-native SIEM (Security Information & Event Management) + SOAR (Security Orchestration, Automation & Response) platform designed for modern Kubernetes environments. Built for security teams who need enterprise-grade detection and response capabilities without the enterprise complexity.
Vision: Becoming the missing DFIR (Digital Forensics & Incident Response) control plane for cloud-native runtime security tools like Falco and Tetragon.
- Cloud-Native First: Designed from ground up for Kubernetes, with Helm deployment and cloud-native data pipelines
- OCSF Native: Full support for Open Cybersecurity Schema Framework - ingest, normalize, and analyze security events in vendor-neutral format
- Ephemeral Forensics: Purpose-built for container lifecycle - capture evidence before it's gone
- Falco/Tetragon Console: The missing response layer for CNCF runtime security projects
- Open Source: Apache 2.0 licensed, community-driven
- Log Collection & Ingestion - HTTP API with token authentication, OCSF compliance
- Log Storage - Powered by VictoriaLogs for high-performance, cloud-native storage
- Log Query - Search and analyze logs with LogSQL
- Custom Tables - Define custom log groupings using stream fields
- OCSF Support - Open Cybersecurity Schema Framework compliant log normalization
- Detection Rules - Create rules with cron-based scheduling (down to seconds)
- Incident Management - Track and manage security incidents with full lifecycle
- Investigation Center - Pre-built investigation templates with timeline view and directive suggestions
- Forensics - EVTX/PCAP upload, automatic parsing, and timeline analysis
- SOAR Automation - Visual workflow automation with React Flow
- Falco Connector - Native integration with Falco alerts
- Tetragon Connector - eBPF-based runtime security events
- Collectors - Build native Go agents for Windows, Linux, and macOS with OCSF output
- User Management - Multi-user with role-based access
- System Settings - Configure external URLs and parameters
Real-time security overview with alerts, severity distribution, and recent activity
Powerful LogSQL-based log query with time range filtering, real-time search, and multiple view modes
Rules list page showing all detection rules and their status
Create/Edit rules with LogSQL expressions, cron scheduling (down to seconds), and severity levels
Security incident center: auto-generated alerts when logs match rules, showing status, severity, count
Incident detail modal: view raw logs, severity, status; support acknowledge/resolve actions
Security investigation center: timeline view, directive suggestions, context panel, and pre-built investigation templates
Digital forensics center: upload and analyze EVTX, PCAP, and text files with automatic parsing
Forensics workspace: timeline analysis, artifact extraction, and evidence correlation
Visual workflow orchestration connecting detection rules to response actions (HTTP, email, conditions)
Log endpoint management: generate API addresses and auth tokens for collectors to push logs
Build cross-platform log collectors (Windows/Linux/macOS) with one-click config generation
Select template and configure collector: choose data sources, mapping rules, target endpoint
Windows Event Collector: Native Go agent, zero-dependency deployment, OCSF format output
Linux Event Collector: Native Go agent, supports syslog, auditd, and OCSF format output
System administration: user management, collector config, appearance settings
┌─────────────────────────────────────────────────────────────┐
│ VSentry (Go + Gin) │
│ ┌─────────────────┐ ┌─────────────────────────────────┐ │
│ │ React SPA │ │ REST API + Ingest Endpoint │ │
│ │ (Static Files) │ │ (Auth, Rules, Playbooks...) │ │
│ └─────────────────┘ └─────────────────────────────────┘ │
└─────────────────────────┬───────────────────────────────────┘
│
┌─────────────────┼─────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌─────────────┐
│ VictoriaLogs │ │ SQLite │ │ Collector │
│ (Log Storage) │ │ (Metadata) │ │ Agents │
│ :9428 │ │ │ │ (Push) │
└───────────────┘ └───────────────┘ └─────────────┘
│ │
└──────────────┬────────────────────┘
▼
┌─────────────────────────────┐
│ Cloud-Native Integrations │
│ • Falco (CNCF Sandbox) │
│ • Tetragon (CNCF Sandbox) │
│ • OCSF Normalization │
└─────────────────────────────┘
# Add Helm repository
helm repo add vsentry https://laenix.github.io/vsentry-charts
helm repo update
# Install with default values
helm install vsentry vsentry/vsentry
# Or with custom values
helm install vsentry vsentry/vsentry -f values.yaml# Clone the repository
git clone https://github.com/laenix/vsentry.git
cd vsentry
# Start all services
make docker-up
# Access at http://localhost:8088
# Default login: admin / admin123cd backend
# Build
go build -o vsentry .
# Run
./vsentrycd frontend
# Install dependencies
npm install
# Development
npm run dev
# Production build
npm run buildVSentry is designed for cloud-native environments. Deploy in minutes:
# Minimal deployment
kubectl create namespace vsentry
helm install vsentry vsentry/vsentry -n vsentry
# With external VictoriaLogs
helm install vsentry vsentry/vsentry \
--set victorialogs.enabled=false \
--set victorialogs.url=http://victorialogs:9428
# With ingress
helm install vsentry vsentry/vsentry \
--set ingress.enabled=true \
--set ingress.hostname=vsentry.example.com| Parameter | Description | Default |
|---|---|---|
replicaCount |
Number of replicas | 1 |
image.repository |
Container image repository | laenix/vsentry |
image.tag |
Image tag | latest |
service.type |
Service type | ClusterIP |
service.port |
Service port | 8088 |
ingress.enabled |
Enable ingress | false |
victorialogs.enabled |
Deploy embedded VictoriaLogs | true |
persistence.enabled |
Enable persistence | false |
persistence.storageClass |
Storage class | standard |
persistence.size |
PVC size | 10Gi |
# Method 1: Using .env file
echo "EXTERNAL_URL=http://your-server-ip:8088" > .env
docker-compose up -d
# Method 2: Direct command line
EXTERNAL_URL=http://192.168.1.100:8088 docker-compose up -dAvailable Environment Variables:
| Variable | Description | Default |
|---|---|---|
EXTERNAL_URL |
External URL for collector endpoint generation | http://localhost:8088 |
VICTORIALOGS_URL |
VictoriaLogs service URL | http://victorialogs:9428 |
JWT_SECRET |
JWT secret key | your-secret-key-change-in-production |
Tip: For production, always set
EXTERNAL_URLto your public IP or domain (e.g.,http://192.168.1.100:8088orhttps://vsentry.yourdomain.com). This ensures the built collectors can correctly report to your server.
Configuration file: backend/config/config.yaml
server:
port: "8080"
external_url: "http://localhost:8088"
victorialogs:
url: "http://localhost:9428"
database:
path: "vsentry.db"
jwt:
secret: your-secret-key-change-me| Path | Method | Description |
|---|---|---|
/api/login |
POST | User login |
/api/ingest/collect |
POST | Log ingestion (with token) |
/api/ingestmanager/* |
* | Ingest management |
/api/connectors/* |
* | Third-party integrations |
/api/collectors/* |
* | Collector builder |
/api/customtables/* |
* | Custom table definitions |
/api/rules/* |
* | Detection rules |
/api/incidents/* |
* | Incident management |
/api/playbooks/* |
* | SOAR automation |
/api/users/* |
* | User management |
/api/select/logsql/query |
POST | Log query (auth required) |
/api/select/logsql/hits |
POST | Query hits count |
vsentry/
├── backend/ # Go backend (Gin + GORM)
│ ├── controller/ # HTTP handlers
│ ├── model/ # Data models
│ ├── middleware/ # Auth middleware
│ ├── ingest/ # Log ingestion
│ ├── automation/ # SOAR engine
│ └── config/ # Configuration
├── frontend/ # React frontend
│ ├── src/
│ │ ├── pages/ # Page components
│ │ ├── services/ # API services
│ │ └── lib/ # Utilities
│ └── public/ # Static assets
├── helm/ # Helm charts
├── config/ # Sample configs
├── scripts/ # Utility scripts
├── docs/ # Documentation
├── docker-compose.yml # Docker compose
├── nginx.conf # Nginx config
├── Makefile # Build automation
└── README.md # This file
- Falco - CNCF runtime security project
- Tetragon - CNCF eBPF-based security observability
- Palo Alto Networks
- CrowdStrike
- AWS CloudTrail
- Azure Sentinel
- GCP Cloud Logging
- Splunk
- Elasticsearch
- FortiGate
- Cisco Umbrella
- Mimecast
See backend/controller/connector.go for full list.
Contributions are welcome! Please read our Contributing Guide first.
- Fork the repo
- Create your feature branch (
git checkout -b feature/amazing) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing) - Open a Pull Request
This project is licensed under the Apache License, Version 2.0 - see the LICENSE file for details.
- VictoriaMetrics - Log storage
- Falco - Cloud-native runtime security
- Tetragon - eBPF security observability
- OCSF - Open Cybersecurity Schema Framework
- Gin - Web framework
- React Flow - Workflow automation UI
Built with ❤️ by Boris Xu