Building a Lightweight Home SOC with Kibana, Zeek, and Suricata
March 21, 2025
As part of my home cybersecurity lab, I set out to build a streamlined, resource-conscious Security Operations Center (SOC) using Zeek, Suricata, and Kibana. The goal was to get visibility into network activity, detect suspicious behavior, and eventually enrich the logs with GeoIP and custom dashboards.
System Overview
- Kibana + Elasticsearch: Deployed and running on local hardware
- Zeek: Passive network monitoring and protocol analysis
- Suricata: IDS/IPS engine for threat detection
Setup Process
- Installed Zeek and Suricata on the same box to monitor mirrored traffic from my network switch
- Configured Zeek to generate connection logs, DNS, HTTP, and SSL traffic analysis
- Enabled EVE JSON output in Suricata for compatibility with log shippers
- Deployed Filebeat as the log shipper to forward both Zeek and Suricata logs into Elasticsearch
Next Steps
- GeoIP enrichment – Plan to enrich IP logs with location data using Logstash or ingest pipelines
- Dashboards – Working on building visualizations for top talkers, anomalies, and event correlation
- Alerting – Looking into ElastAlert or native Kibana alerts for suspicious events
Why This Setup?
This stack offers great flexibility and transparency for home lab security monitoring. Zeek gives me deep packet-level inspection, Suricata provides threat signatures, and Kibana lets me explore, visualize, and ultimately automate response logic — all with full control and zero reliance on the cloud.
More to come as I refine the setup with additional enrichment, automation, and tuning.