top of page
Search

Building a Real-Time SOC Dashboard with Elastic Stack, Node.js, and Chart.js

Introduction

In modern cybersecurity operations, detecting and visualizing suspicious activities in real time is critical. In this project, I developed a lightweight yet powerful Security Operations Center (SOC) dashboard that detects and visualizes brute-force login attempts in real-time using data from the Elastic Stack.

This project demonstrates how to integrate ElasticSearch, Winlogbeat, Node.js, and Chart.js into a complete end-to-end security monitoring solution.


Architecture Overview

The system is composed of four main components:

  • Winlogbeat: Collects Windows event logs

  • ElasticSearch: Stores and indexes log data

  • Node.js (Express API): Processes and exposes detection logic

  • Frontend Dashboard (Chart.js): Visualizes attack patterns


Data Flow

  1. Windows logs are collected via Winlogbeat

  2. Logs are shipped to ElasticSearch

  3. Node.js queries ElasticSearch using custom APIs

  4. The frontend fetches data and renders real-time charts


Detecting Failed Login Attempts (Event ID 4625)

Windows Event ID 4625 indicates a failed login attempt — a key signal for brute-force attacks.

Using ElasticSearch queries, I filtered logs with:

{
  "match": {
    "event.code": "4625"
  }
}

Building Detection APIs with Node.js

I developed multiple API endpoints using Express:

1. Failed Login Logs

Returns raw failed login events:

GET /api/logs/failed-login

2. Brute Force Detection (User-based)

Aggregates failed attempts per username:

GET /api/detect/bruteforce

This helps identify targeted accounts.

3. Top Attacker IPs

Aggregates failed login attempts by source IP:

GET /api/detect/top-ip

Includes filtering to exclude invalid IPs like "-".

4. Attack Timeline (Time-based Analysis)

Uses a date histogram aggregation:

GET /api/detect/timeline

This shows how attacks evolve.

Building the SOC Dashboard

The frontend dashboard is built using Chart.js and dynamically fetches data from the backend APIs.

Features:

  • Live list of brute-force alerts

  • Bar chart of top attacker IPs

  • Timeline chart of attack activity

All charts update automatically every few seconds, providing near real-time visibility.


Key Challenges & Lessons Learned

  • ❗ Handling missing or invalid fields (e.g., IP = "-")

  • ❗ Understanding ElasticSearch aggregations

  • ❗ Separating backend (Node.js) from frontend (Chart.js)

  • ❗ Debugging real-time data pipelines


Results

The final system provides:

  • Real-time detection of brute-force attacks

  • Visual insights into attacker behavior

  • A modular architecture ready for scaling


Conclusion

This project demonstrates how to build a practical SOC dashboard using open-source tools. By combining Elastic Stack with a custom Node.js backend and a modern frontend, we can create powerful security monitoring systems with minimal resources.

This is just the beginning of building real-world cybersecurity solutions.




 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page