# Building an Open SIEM From Scratch

## Introduction

Building a SIEM based on open-sourced solutions can be particularly challenging but also much more fun. In this article series I will try to share how can we overcome some of the basic challenges that we may face during building such toolsets like:

* **Data normalization.**
* **Event collection and processing.**
* **Alerting : Time-based vs Event-Centric correlation**
* **Visualizations and Dashboarding**
* **SIEM metrics and reporting**

I will be using the following tools:

* **Elastic Stack: Elasticsearch, Kibana, Logstash, and Beats for collecting, processing, storing, and searching data.**
* **OpenDistro for Elasticsearch plugins for Alerting and Security.**
* **ElastAlert for additional alerting features**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.unh4ck.com/building-an-open-siem-from-scratch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.