Gatekeeper inqaba-security/gatekeeper
v1.x

Installation

Install the package#

If the package is published to a Composer repository:

composer require inqaba-security/gatekeeper

Service provider & facade#

Both are auto-discovered. The Siem facade and all middleware aliases (siem.block, siem.abuse, siem.scan, siem.enum, siem.honeypot) are registered automatically, and honeypot routes register themselves from config.

Publish the configuration#

php artisan vendor:publish --tag=siem-config

This copies the package config to config/siem.php. Most settings are driven by environment variables, so day-to-day tuning happens in .env — publishing matters mainly for list-based settings like honeypot paths, redaction keys and detection thresholds.

To customize the honeypot Blade component, publish the views as well:

php artisan vendor:publish --tag=siem-views

Choose your destinations#

SIEM_SINKS=sentinel,wazuh,slack
SIEM_QUEUE=true

Available sinks: sentinel, wazuh, syslog, slack, teams, log, null. Events are shipped to every active sink (subject to each sink's severity floor).

Run a queue worker#

With SIEM_QUEUE=true (recommended), events ship on the siem queue:

php artisan queue:work --queue=siem

In production, supervise this like any other worker (Supervisor, Horizon, etc.). Setting SIEM_QUEUE=false ships synchronously in the request — acceptable for the log and wazuh (file) sinks, not recommended for network sinks.

Verify connectivity#

php artisan siem:test                  # sends a test event to every active sink
php artisan siem:test --sink=sentinel  # test a single sink

Each sink reports success or the exact failure reason:

✔ [sentinel] event delivered
✘ [wazuh] Unable to create Wazuh log directory [/var/log/gatekeeper].

A sensible production starting point:

SIEM_ENABLED=true
SIEM_SINKS=sentinel,wazuh,slack
SIEM_QUEUE=true
SIEM_GEOIP=true
SIEM_SLACK_MIN_SEVERITY=high
// bootstrap/app.php (Laravel 11+)
->withMiddleware(function (Middleware $middleware) {
    // Enforce the blocklist before anything else runs.
    $middleware->prepend(\Inqaba\Gatekeeper\Http\Middleware\BlockDeniedIps::class);

    $middleware->web(append: [
        \Inqaba\Gatekeeper\Http\Middleware\DetectEndpointAbuse::class,
        \Inqaba\Gatekeeper\Http\Middleware\ScanRequestThreats::class,
    ]);
})

Then protect your sensitive routes:

Route::post('/register', ...)->middleware('siem.honeypot');
Route::get('/photos/{photo}', ...)->middleware('siem.enum');