Installation
Install the package#
If the package is published to a Composer repository:
composer require inqaba-security/gatekeeper
Service provider & facade#
Both are auto-discovered. The Siem facade and all middleware aliases (siem.block, siem.abuse, siem.scan, siem.enum, siem.honeypot) are registered automatically, and honeypot routes register themselves from config.
Publish the configuration#
php artisan vendor:publish --tag=siem-config
This copies the package config to config/siem.php. Most settings are driven by environment variables, so day-to-day tuning happens in .env — publishing matters mainly for list-based settings like honeypot paths, redaction keys and detection thresholds.
To customize the honeypot Blade component, publish the views as well:
php artisan vendor:publish --tag=siem-views
Choose your destinations#
SIEM_SINKS=sentinel,wazuh,slack
SIEM_QUEUE=true
Available sinks: sentinel, wazuh, syslog, slack, teams, log, null. Events are shipped to every active sink (subject to each sink's severity floor).
Run a queue worker#
With SIEM_QUEUE=true (recommended), events ship on the siem queue:
php artisan queue:work --queue=siem
In production, supervise this like any other worker (Supervisor, Horizon, etc.). Setting SIEM_QUEUE=false ships synchronously in the request — acceptable for the log and wazuh (file) sinks, not recommended for network sinks.
Verify connectivity#
php artisan siem:test # sends a test event to every active sink
php artisan siem:test --sink=sentinel # test a single sink
Each sink reports success or the exact failure reason:
✔ [sentinel] event delivered
✘ [wazuh] Unable to create Wazuh log directory [/var/log/gatekeeper].
Recommended baseline setup#
A sensible production starting point:
SIEM_ENABLED=true
SIEM_SINKS=sentinel,wazuh,slack
SIEM_QUEUE=true
SIEM_GEOIP=true
SIEM_SLACK_MIN_SEVERITY=high
// bootstrap/app.php (Laravel 11+)
->withMiddleware(function (Middleware $middleware) {
// Enforce the blocklist before anything else runs.
$middleware->prepend(\Inqaba\Gatekeeper\Http\Middleware\BlockDeniedIps::class);
$middleware->web(append: [
\Inqaba\Gatekeeper\Http\Middleware\DetectEndpointAbuse::class,
\Inqaba\Gatekeeper\Http\Middleware\ScanRequestThreats::class,
]);
})
Then protect your sensitive routes:
Route::post('/register', ...)->middleware('siem.honeypot');
Route::get('/photos/{photo}', ...)->middleware('siem.enum');