Unify security events, metrics and threat signals in one validated pipeline.
AI generates deterministic connectors for any system — Wazuh, SIEMs, firewalls,
APIs — with zero-trust ingest and full audit trail.
Zero-trust ingest. Zod-validated. Rate-limited. Open Source.
Built for SOC teams, MSSPs and security engineers who need unified visibility without stitching together five different tools.
Unified metrics, events, alerts and correlations — all in one real-time dashboard. No Grafana, no Kibana, no context switching.
No custom scripts. No ETL complexity. Just deterministic connectors powered by Orbit Core.
Describe any HTTP API in plain text — the AI produces a ready-to-deploy connector_spec, Python agent_script and README in seconds. Register, approve, data flows. Works for Zabbix, Datadog, CloudWatch, PagerDuty — anything with an HTTP API.
Store timeseries metrics and security events in one canonical core. Query everything through a stable API.
Background worker links metric anomalies (z-score + relative change) to concurrent security events automatically.
Threshold and absence rules evaluated every 60 s. Auto-resolve on recovery. Full notification history.
Built-in OTLP/HTTP receiver for traces, metrics and logs. Point any OTel SDK at /otlp/v1/*.
Self-contained docker compose up -d. Migrations run automatically. No runtime dependencies on the host.
Automatic Postgres rollups. Auto-bucket + Top-N prevent cardinality explosion. Query engine picks the right source table.
Operational flows are no-AI. Fingerprint deduplication, bounded batches, state files. Zero surprises in production.
Built-in System Tab: CPU, memory, disk usage (GB + color bar), network I/O, PostgreSQL stats (cache hit %, connections, reads/writes per second).
Full UI translation in English, Portuguese and Spanish with a one-click language switcher. Mobile-responsive across all tabs.
Describe what you need in plain text — Claude builds the DashboardSpec from your real catalog. Timeseries, KPIs, event feeds and gauges — validated server-side before applying.
Ed25519 JWT license with 7-day grace period. Inline activation banner, Licensed badge, and full management in Admin tab. Free forever — register in 10 seconds.
10 pre-built templates for Nagios, Wazuh, Fortigate, n8n, OpenTelemetry, Zabbix and more. One-click import or download as a plugin bundle (connector_spec.json + README).
Built-in engine system for zero-config pull connectors. The n8n engine runs natively — cursor-based pagination, error and stuck-workflow detection. No Python, no cron.
Every layer of Orbit Core is designed with security-first principles. No shortcuts, no implicit trust.
Zod schema validation on all ingest, alert and connector payloads. Malformed input is rejected before it touches the database. No raw SQL, no injection vectors.
Every non-health endpoint requires X-Api-Key. Keys live in environment variables, never baked into built assets or exposed to the browser.
300 req/min per API key or IP with full IPv6 support. Connection pooling with idle, connection and statement timeouts. X-Request-ID on every request.
AI-generated connectors require explicit human approval before activation. Dry-run test endpoint validates mapping without touching production data.
Events use ON CONFLICT (fingerprint) DO UPDATE. Connectors can re-ship safely without duplicates. Integrity enforced at database level.
Every alert transition, connector run and API mutation is logged with timestamps. Notification history, run history and correlation logs are queryable via API.
Connectors ship deterministic batches. The API validates, stores and serves queries. Four background workers run continuously.
Ingest alerts from Wazuh, Fortigate syslogs and custom threat feeds into a single timeline. Correlate anomalies with infrastructure metrics. Alert via Telegram in real time.
Ship perfdata as timeseries and HARD state changes as events. Get rollups, retention and dashboards without leaving Postgres.
Track execution errors, stuck runs and SLA breaches. Connector polls n8n REST API on cron. Full deduplication and event history.
Register any HTTP API as a pull or push connector with a JSON mapping. Dry-run test, approval flow, run history. Zero custom code.
Different tools for different problems. Orbit Core fills the gap between raw signals and actionable telemetry.
| Capability | Grafana / Prometheus | Splunk / Elastic | Orbit Core |
|---|---|---|---|
| Infrastructure metrics | ★★★★★ | ★★★☆☆ | ★★★☆☆ |
| Security event handling | ★★☆☆☆ | ★★★★★ | ★★★★☆ |
| Cross-domain correlation | ★☆☆☆☆ | ★★☆☆☆ | ★★★☆☆ |
| Event normalization (built-in) | ☆☆☆☆☆ | ★★☆☆☆ | ★★★★☆ |
| AI-assisted connector creation | ☆☆☆☆☆ | ☆☆☆☆☆ | ★★★★☆ |
| Open source core | ★★★★★ | ★☆☆☆☆ | ★★★★★ |
| Time to first integration | Hours | Days–Weeks | Minutes |
Orbit Core doesn't replace your monitoring or SIEM — it makes them work together.
# 1. Clone
git clone https://github.com/rmfaria/orbit-core
cd orbit-core
# 2. Configure
cp .env.example .env
# 3. Build & start (postgres → migrations → api → ui)
docker compose build && docker compose up -d
# 4. Verify
curl http://localhost/orbit-core/api/v1/health
# → {"ok":true,"db":"ok","workers":["rollup","correlate","alerts","connectors"]}Perfdata as metrics, HARD state changes as events. Cron pollers with byte-offset state.
Alerts from alerts.json or OpenSearch. Rule level → severity mapping.
Execution errors and stuck workflows. Built-in engine with cursor-based pagination and auto state tracking.
OTLP/HTTP receiver for traces, metrics and logs. Any OTel SDK, no Collector.
Syslog to Wazuh. Events surfaced as kind=fortigate.
CPU, memory and disk metrics every 2 min via orbit-agent.py. Push to /ingest/raw/macos.
Describe in plain text → AI generates spec + script + README. Register, approve, done.
Built-in engine — zero external scripts, zero cron jobs
The n8n engine runs inside the API server as a native pull-mode connector. It polls the n8n REST API every minute with cursor-based pagination, tracking its position between runs.
# 1. Register the connector
curl -X POST /api/v1/connectors \
-d '{
"id": "n8n-events",
"source_id": "n8n-events",
"mode": "pull",
"type": "event",
"engine": "n8n",
"pull_interval_min": 1,
"auth": {
"kind": "header",
"name": "X-N8N-API-KEY",
"value": "<your-key>"
},
"spec": {
"n8n_url": "https://n8n.example.com",
"stuck_after_minutes": 30
}
}'
# 2. Approve it
curl -X POST /api/v1/connectors/n8n-events/approve| Feature | Shipped | Next | Autoscale — Medium Term | Autoscale — >500k EPS |
|---|---|---|---|---|
| Hybrid License System (Ed25519 JWT) | v1.6 | |||
| Connector Templates + Download Plugin | v1.6 | |||
| Engine Dispatch (n8n built-in) | v1.6 | |||
| TimeRangePicker + System monitoring | v1.5 | |||
| PostgreSQL I/O & disk stats | v1.5 | |||
| AI Plugin Generator | v1.4 | |||
| Spanish locale + mobile UI | v1.4 | |||
| macOS LaunchAgent connector | v1.4 | |||
| OpenTelemetry OTLP receiver | v1.4 | |||
| AI Connector Framework | v1.3 | |||
| Alerting (webhook + Telegram) | ✓ | |||
| Auto-correlation engine | ✓ | |||
| Docker standalone deploy | ✓ | |||
| AI-assisted dashboards | ✓ | |||
| Scheduled reports (email / webhook) | • | |||
| More connectors & sources | • | |||
| Improved correlation + explainability | • | |||
| SSO / OIDC authentication | • | |||
| Retention / rollup config via admin UI | • | |||
| Multi-tenancy + RBAC | • | |||
| TimescaleDB hypertables for metric_points | • | |||
| Workers separated from ingest process | • | |||
| Redis Streams ingest buffer | • | |||
| Read replica for queries | • | |||
| Kafka ingest pipeline | • | |||
| ClickHouse / TimescaleDB Distributed | • |
Get started in minutes. Open source, self-hosted, no vendor lock-in.