A Portable Offline Log Analysis and Security Monitoring System for Air Gapped Networks Using Syslog and MITRE ATT&CK Mapping

Abstract

Air-gapped networks, also known as isolated networks, are commonly deployed in highly sensitive environments such as defense infrastructures, industrial control systems, research laboratories, and government facilities where external connectivity is intentionally restricted to reduce exposure to cyber threats. While such isolation strengthens security boundaries, it also creates significant challenges for the continuous monitoring because most modern Security Information and Event Management (SIEM) platforms depend on a centralized infrastructure and internet connectivity. As a result, organizations operating in the isolated environments often rely on manual log inspection or fragmented monitoring mechanisms, which reduces visibility into system activity and increases the possibility of undetected attacks. This paper presents PORTSOC, a portable offline log analysis and security monitoring system designed specifically for air-gapped environments. The proposed system collects logs from multiple endpoints using a Syslog-based ingestion mechanism and converts heterogeneous log formats into structured records through parsing and normalization. These events are stored locally in a lightweight SQLite database and analyzed using a rule-based detection engine capable of identifying common adversarial behaviors such as brute-force authentication attempts, credential misuse, suspicious privileged command execution, and security control tampering. Detected events are mapped to MITRE ATT&CK techniques to provide standardized threat classification and improved contextual understanding of security incidents. Experimental evaluation conducted in a controlled environment demonstrates that the system can efficiently process large volumes of log data while maintaining low resource consumption. The results indicate that PORTSOC provides a practical and deployable solution for implementing SOC-style monitoring capabilities in isolated environments where traditional SIEM systems cannot be deployed.

Introduction

The text explains the growing importance of analyzing system logs for cybersecurity, especially due to increasing cyberattacks across organizations. Logs from systems and networks contain critical evidence of malicious activities, and continuous monitoring is essential for detecting threats early. While traditional Security Information and Event Management (SIEM) systems like Splunk and Elastic Security are effective in enterprise environments, they depend heavily on centralized infrastructure and internet connectivity, making them unsuitable for air-gapped or isolated networks.

Air-gapped environments (used in defense, industrial control systems, and government facilities) improve security by disconnecting from external networks but make real-time monitoring difficult. In such settings, security teams often rely on manual log analysis, which is slow and error-prone, increasing the risk of missed attacks.

To solve this, the proposed system PORTSOC is introduced as a lightweight, portable, and fully offline log monitoring solution. It collects logs using Syslog, normalizes them into structured data, stores them locally using SQLite, and applies rule-based detection to identify threats such as brute-force attacks and suspicious activities. It also maps events to the MITRE ATT&CK framework for better threat understanding and provides correlation, offline intelligence enrichment, and dashboard visualization.

Conclusion

This paper presented PORTSOC, a portable offline log analysis and security monitoring system designed specifically for air gapped and isolated network environments where conventional cloud based SIEM solutions cannot be deployed due to connectivity and security restrictions. The proposed system demonstrates that essential SOClevel monitoring capabilities can be effectively implemented in a lightweight and fully offline architecture without dependence on centralized infrastructure or external threat intelligence services. By utilizing Syslog based log ingestion, PORTSOC enables the collection of real time security logs from multiple endpoints and servers within an isolated network. The incorporation of a structured parsing and normalization layer allows heterogeneous and unstructured logs to be transformed into consistent event records, which are then stored locally using a portable SQLite database. The rule based detection engine implemented in the system successfully identifies common adversarial behaviours such as repeated authentication failures, bruteforce attempts, credential misuse, and suspicious privilege escalation activities. Furthermore, mapping detected security events to MITRE ATT&CK techniques provides standardized threat classification and improves the contextual understanding of adversary behaviour even in offline environments. The integration of offline threat intelligence enrichment and incident correlation mechanisms enhances detection confidence while minimizing alert fragmentation. PORTSOC also incorporates an offline dashboard for alert visualization and automated report generation to support audit documentation and forensic analysis. Additionally, the implementation of a chained hash based integrity verification mechanism strengthens the evidentiary reliability of collected logs by enabling tamper detection in the absence of centralized logging infrastructure.Experimental evaluation in a controlled lab setup indicates that the system can efficiently process large volumes of log data while maintaining low resource utilization, making it suitable for deployment in constrained environments such as critical infrastructure networks, defence systems, and regulated industrial environments. In conclusion, the proposed system addresses a significant gap in cybersecurity monitoring for isolated networks by providing a practical, portable, and offline first solution capable of delivering meaningful threat visibility without enterprise scale SIEM complexity.

References

[1] K. Kent and M. Souppaya, “Guide to computer security log management,” National Institute of Standards and Technology (NIST), Tech. Rep. NIST SP 80092, 2006. [2] A. Behl, “Security information and event management (siem): Implementationchallenges,” International Journal of Computer Applications, 2017. [3] Splunk Inc., “Security information and event management (siem),” https://www.splunk.com/en_us/solutions/siem.html, 2024. [4] Elastic N.V., “Elastic security overview,” https://www.elastic.co/security,2024. [5] R. Gerhards, “The syslog protocol,” IETF, Tech. Rep. RFC 5424, 2009. [6] SQLite Development Team, “SQLite documentation,” https://www.sqlite.org/docs.html, 2024. [7] B. E. Strom et al., “Mitre attack: Design and philosophy,” MITRE TechnicalReport, 2018. [8] MITRE Corporation, “Mitre attack framework,” https://attack.mitre.org,2024, accessed: 20260215. [9] M. e. a. Guri, “Airgap computer security: Threats and countermeasures,”Journal of Cyber Security Technology, 2018

Copyright

Copyright © 2026 Ashithosh Nair, Ashutosh Dhiwar, Dr. Sandeep Kulkarni. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.