How to Deploy a Self-Hosted SIEM on Ubuntu 24.04 LTS

This guide walks you through deploying a fully functional self-hosted SIEM on Ubuntu 24.04 LTS. By the end, you will have a live security monitoring platform ingesting logs, running MITRE ATT&CK-aligned detection rules, and generating compliance dashboards.

Prerequisites

• CPU: 4 cores minimum (8+ recommended)
• RAM: 8GB minimum (16GB+ recommended)
• Storage: 100GB SSD (NVMe strongly preferred)
• OS: Ubuntu 24.04 LTS, fresh installation, root or sudo access

Step 1: Prepare the Ubuntu Server

Open the required firewall ports for log ingestion and the web interface:

Step 2: Install nPro

The installer detects your Ubuntu version, installs ClickHouse, configures syslog listeners on ports 514, the Filebeat input on 5044, generates TLS certificates, loads MITRE ATT&CK detection rules, and starts all services. Completes in 3 to 5 minutes.

Step 3: Configure Your First Log Source

Linux server via rsyslog

Windows server via Filebeat

Firewall via syslog

In your firewall admin interface, set the syslog destination to your nPro server IP on port 514. Supported: pfSense, OPNsense, Cisco, Palo Alto, Fortinet, Juniper.

Step 4: Verify Ingestion and Test Detection

Navigate to Events then Live Feed in nPro. You should see events arriving in real time. Test by generating failed SSH login attempts against your source server — the brute force detection rule should fire within seconds and appear under Alerts then Active.

Step 5: Enable Compliance Dashboards

Navigate to Dashboards then Compliance and select your frameworks (ISO 27001, PCI-DSS, PDPA). Schedule automated reports under Reports then Scheduled.

Priority Log Sources

1. Domain controller / Active Directory — authentication events
2. Perimeter firewall — connection logs
3. Web application server — access and error logs
4. Email gateway — phishing trace chain
5. Key databases — access logs for sensitive data stores