# MozDef Quick Start Guide ## What is MozDef? **MozDef is a SIEM (Security Information and Event Management) platform** - an open-source microservices-based security event management system built on Elasticsearch. ## Quick Installation (Docker) ```bash # 1. Navigate to MozDef directory cd /root/MozDef # 2. Build Docker images make build # 3. Start all services make run # 4. Access services # - Web Interface: http://localhost # - Kibana: http://localhost:9090/app/kibana # - Loginput: http://localhost:8080 ``` ## Quick Commands ```bash # Start MozDef make run # Stop MozDef make stop # Rebuild everything make rebuild # Clean up (remove containers and volumes) make clean # Run tests make tests # View logs docker-compose -f docker/compose/docker-compose.yml -p mozdef logs [service-name] ``` ## Send a Test Event ```bash curl -X POST http://localhost:8080/events \ -H "Content-Type: application/json" \ -d '{ "timestamp": "2024-01-15T10:00:00+00:00", "utctimestamp": "2024-01-15T10:00:00+00:00", "hostname": "test.example.com", "processname": "test.py", "processid": 1234, "severity": "INFO", "summary": "Test event", "category": "test", "source": "test", "tags": ["test"], "details": {} }' ``` ## Service Ports | Service | Port | URL | |---------|------|-----| | Meteor (Web UI) | 80 | http://localhost | | Kibana | 9090 | http://localhost:9090/app/kibana | | Loginput | 8080 | http://localhost:8080 | | Syslog | 514 | UDP/TCP | ## Key Directories - `/alerts` - Alert definitions and engine - `/loginput` - HTTP event ingestion endpoint - `/mq` - Message queue workers - `/meteor` - Web interface - `/rest` - REST API - `/config` - Configuration files - `/docs` - Documentation ## Create a New Alert ```bash make new-alert # Follow prompts to create alert and test files ``` ## View Service Status ```bash docker-compose -f docker/compose/docker-compose.yml -p mozdef ps ``` ## Troubleshooting 1. **Services won't start**: Check Docker has 4GB+ RAM 2. **Events not appearing**: Check loginput status: `curl http://localhost:8080/status` 3. **View logs**: `docker-compose logs [service-name]` ## Full Documentation See `MOZDEF_COMPREHENSIVE_REPORT.md` for complete details.