top of page
Search

Building a Mini SOC Dashboard from Scratch (Node.js + Nginx + Elasticsearch)

Over the past few days, I built a lightweight SOC (Security Operations Center) dashboard from scratch — and honestly, it was a great hands-on experience dealing with real-world debugging, networking issues, and system integration.

Here’s a breakdown of what I built and learned.


Architecture Overview

The system consists of:

  • Node.js API (Backend) → Handles data processing and API endpoints

  • Nginx (Reverse Proxy) → Routes traffic and serves frontend

  • HTML + Chart.js (Frontend Dashboard) → Visualizes attack data

  • Elasticsearch (Planned Integration) → Source of security logs


Step 1: Backend API (Node.js)

I created a simple Express server:

app.get("/api/top-ip", (req, res) => {
  res.json([
    { key: "192.168.1.10", doc_count: 12 },
    { key: "8.8.8.8", doc_count: 7 },
    { key: "10.0.0.5", doc_count: 4 }
  ]);
});

This API simulates attacker IPs and request counts.


Step 2: Process Management with PM2

To keep the server running:

pm2 start server.js --name server
pm2 restart server

Step 3: Nginx Reverse Proxy

Configured Nginx to:

  • Serve dashboard

  • Forward /api requests to Node.js

server {
    listen 80;
    server_name api.mydomain;

    location / {
        root /var/www/html;
        index dashboard.html;
    }

    location /api/ {
        proxy_pass http://127.0.0.1:3000;
    }
}

Step 4: Dashboard UI

Built a simple dashboard using HTML + Chart.js:

const res = await fetch("http://api.mydomain/api/top-ip");
const data = await res.json();

Features:

  • Top attacker IP list

  • Real-time updates (every 5 seconds)

  • Bar chart visualization

  • Alert highlighting for high activity


Challenges Faced

❌ Empty Dashboard

  • Cause: Wrong API endpoint (/api/test instead of /api/top-ip)

❌ 404 Errors

  • Cause: Nginx is not forwarding /api correctly

❌ PM2 Running Old Code

  • Fix: Full restart using pm2 delete + start

❌ No Data from Elasticsearch

  • Cause: Logs didn’t contain real IPs (IpAddress: "-")


Key Lessons

  • Debug step-by-step, not everything at once

  • Always test the API separately (curl)

  • Nginx routing is often the hidden issue

  • Data problems ≠ code problems

  • Start with mock data before real integrations


Current Status

✅ Backend API working✅ Nginx routing fixed✅ Dashboard fully functional🔜 Next: Connect to Elasticsearch + real threat detection


Final Thought

This project started as "why isn't anything working?" and ended as:

"I just built a working SOC dashboard."


 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page