MozDef Quick Start Guide
What is MozDef?
MozDef is a SIEM (Security Information and Event Management) platform - an open-source microservices-based security event management system built on Elasticsearch.
Quick Installation (Docker)
# 1. Navigate to MozDef directory
cd /root/MozDef
# 2. Build Docker images
make build
# 3. Start all services
make run
# 4. Access services
# - Web Interface: http://localhost
# - Kibana: http://localhost:9090/app/kibana
# - Loginput: http://localhost:8080
Quick Commands
# Start MozDef
make run
# Stop MozDef
make stop
# Rebuild everything
make rebuild
# Clean up (remove containers and volumes)
make clean
# Run tests
make tests
# View logs
docker-compose -f docker/compose/docker-compose.yml -p mozdef logs [service-name]
Send a Test Event
curl -X POST http://localhost:8080/events \
-H "Content-Type: application/json" \
-d '{
"timestamp": "2024-01-15T10:00:00+00:00",
"utctimestamp": "2024-01-15T10:00:00+00:00",
"hostname": "test.example.com",
"processname": "test.py",
"processid": 1234,
"severity": "INFO",
"summary": "Test event",
"category": "test",
"source": "test",
"tags": ["test"],
"details": {}
}'
Service Ports
| Service | Port | URL |
|---|---|---|
| Meteor (Web UI) | 80 | http://localhost |
| Kibana | 9090 | http://localhost:9090/app/kibana |
| Loginput | 8080 | http://localhost:8080 |
| Syslog | 514 | UDP/TCP |
Key Directories
/alerts- Alert definitions and engine/loginput- HTTP event ingestion endpoint/mq- Message queue workers/meteor- Web interface/rest- REST API/config- Configuration files/docs- Documentation
Create a New Alert
make new-alert
# Follow prompts to create alert and test files
View Service Status
docker-compose -f docker/compose/docker-compose.yml -p mozdef ps
Troubleshooting
- Services won't start: Check Docker has 4GB+ RAM
- Events not appearing: Check loginput status:
curl http://localhost:8080/status - View logs:
docker-compose logs [service-name]
Full Documentation
See MOZDEF_COMPREHENSIVE_REPORT.md for complete details.