Real-time Big Data Cyber Crime Log Processing Pipeline
End-to-end integration of Apache Kafka Β· Apache Spark Β· Hadoop HDFS Β· Apache Hive Β· React Dashboard
| Dashboard & Pipeline Activity | Pipeline Status β Live Logs |
|---|---|
![]() |
![]() |
| Analytics & Hadoop Storage | NLP Query, Region & Trend Analysis |
|---|---|
![]() |
![]() |
The Digital Crime Control Room is a full-stack Big Data analytics platform that ingests cyber security event logs and processes them in real time through an enterprise-grade data pipeline. It provides live visibility into cyber threats including failed login attempts, suspicious IP detection, region-wise attack distribution, and daily attack trends β all surfaced through an interactive React dashboard.
CSV Upload β Kafka Ingestion β Spark Processing β HDFS Storage β Hive Queries β Analytics Dashboard
| Layer | Technology |
|---|---|
| Frontend | React + Vite |
| Backend | Python Flask |
| Message Queue | Apache Kafka |
| Stream Processing | Apache Spark Structured Streaming |
| Storage | Hadoop HDFS (Parquet format) |
| Query Layer | Apache Hive |
| Analytics & Visualization | Python (matplotlib, seaborn, plotly) |
| Orchestration | Docker Compose (10 services) |
digital_crime_control_room/
βββ frontend/ # React Vite dashboard (port 5173)
β βββ Dockerfile
β βββ package.json
β βββ vite.config.js
β βββ src/
β βββ App.jsx # Main dashboard component
β βββ main.jsx
β βββ styles.css
β βββ components/
β βββ DataTable.jsx # Results table component
β
βββ backend/ # Flask API server (port 5000)
β βββ Dockerfile
β βββ app.py # Flask app + pipeline orchestration
β βββ kafka_producer.py # CSV to Kafka publisher
β βββ kafka_consumer.py # Kafka consumer (reference)
β βββ hive_client.py # Hive query executor
β βββ requirements.txt
β βββ uploads/ # Uploaded CSV storage
β βββ results/ # Processed results cache
β
βββ spark/
β βββ spark_streaming.py # Kafka β HDFS Structured Streaming job
β βββ submit_stream.sh
β
βββ analytics/
β βββ analysis.py # Data cleaning + aggregation
β βββ plots.py # Chart generation (matplotlib/seaborn)
β
βββ hive/
β βββ schema.sql # External table definition
β βββ queries.sql # 4 analytics queries
β
βββ hdfs/
β βββ init_hdfs.sh
β
βββ sample_data/
β βββ cyber_logs_sample.csv # Test dataset (163 records)
β
βββ docker-compose.yml # Full stack orchestration
βββ validate_env.py # Pre-flight environment check
βββ test_deployment.py # Post-deployment verification
βββ README.md
ββββββββββββ βββββββββ ββββββββββββββββββ ββββββββ ββββββββ βββββββββββββ
β CSV βββββΆβ Kafka βββββΆβ Spark StreamingβββββΆβ HDFS βββββΆβ Hive βββββΆβ Dashboard β
β Upload β β Topic β β (Validation) β βParquetβ βQueriesβ β Analytics β
ββββββββββββ βββββββββ ββββββββββββββββββ ββββββββ ββββββββ βββββββββββββ
- Frontend Upload β User drags & drops a CSV file onto the React dashboard
- Kafka Ingestion β Backend converts CSV rows to JSON and publishes to the
cyber_logstopic - Spark Processing β Spark Structured Streaming validates and cleans records:
- Filters null/empty
user_idand rejects"unknown"users - Validates ISO 8601 timestamps β
event_ts - Enforces
statusas"success"or"failure"only - Adds
event_datepartition column
- Filters null/empty
- HDFS Storage β Clean records written as Parquet, partitioned by
event_date - Hive Query Layer β External table created on HDFS; partitions auto-registered via
MSCK REPAIR - Analytics β 4 Hive queries run; charts and tables generated and returned to frontend
- Dashboard β Real-time polling every 2 seconds; displays charts, tables, and high-risk alerts
- Drag-and-drop CSV upload interface
- Real-time pipeline status visualization
- Event timeline (7 stages)
- 3 interactive charts (bar, line, pie)
- 5 analytics result tables
- Auto-polling every 2 seconds + responsive styling
-
/uploadβ CSV ingestion + Kafka publishing -
/processβ Pipeline orchestration (async) -
/statusβ Real-time status updates -
/resultsβ Analytics delivery - Hive integration via
hive_client.py - Thread-safe state management + comprehensive error handling
- Zookeeper coordination + health checks
- Auto topic creation for
cyber_logs - External access on port 29092
- Spark Master + Worker nodes
- Kafka β Parquet Structured Streaming
- Data validation (schema, nulls, unknown users, timestamps, status)
- Date-based automatic partitioning + checkpoint management
- NameNode + DataNode
- Auto-directory creation with partition hierarchy
- Parquet format; NameNode UI on port 9870
- Metastore (PostgreSQL backend) + HiveServer2
- External table on HDFS data
- 4 pre-built analytics queries
- Partition registration via MSCK REPAIR TABLE
- Bar chart: Failed logins per user
- Line chart: Daily attack trends
- Pie/donut chart: Attack type / severity distribution
- Severity classification: low / medium / high
- High-severity alert table (top 25 rows)
- All charts returned as base64 PNG
- Docker & Docker Compose installed
- 4 GB+ free RAM (Spark, Hadoop, Kafka)
- Git (repo already cloned)
python3 validate_env.pyChecks Docker installation, file structure, port availability, and system resources.
cd digital_crime_control_room
docker compose up --buildβ±οΈ First run: 2β3 minutes (building images)
β±οΈ Subsequent runs: 30β60 seconds (images cached)
# Frontend dashboard
curl http://localhost:5173
# Backend health check
curl http://localhost:5000/status
# Kafka β list topics
docker exec kafka kafka-topics --bootstrap-server kafka:9092 --list
# HDFS NameNode UI
open http://localhost:9870
# Spark Master UI
open http://localhost:8080
# Hive Server logs
docker logs hive-server | tail -20- Open http://localhost:5173 in your browser
- Drag & drop
sample_data/cyber_logs_sample.csv(or click Choose File) - Click Upload β watch Kafka publishing event in the timeline
- Click Process Pipeline β watch all 7 stages complete in order
- View live charts, analytics tables, and high-risk alerts
python3 test_deployment.py| Stage | What You'll See | Time |
|---|---|---|
| Upload | "163 records sent to Kafka" | ~3 sec |
| Kafka | Publishing queued in background | ~2 sec |
| Spark | Validation and cleaning rules applied | ~10 sec |
| HDFS | Partitioned Parquet written to /cyber_logs/ |
included |
| Hive | 4 analytics queries executed | ~8 sec |
| Analytics | Charts and tables generated | ~2 sec |
| Total | Pipeline completed | ~30 sec |
Record counts: Uploaded = 163 Β· Processed β 142β150 Β· Dropped β 13β21
CREATE DATABASE IF NOT EXISTS cyber_security;
CREATE EXTERNAL TABLE IF NOT EXISTS cyber_logs (
user_id STRING,
activity_type STRING,
timestamp STRING,
ip_address STRING,
status STRING,
event_ts TIMESTAMP
)
PARTITIONED BY (event_date DATE)
STORED AS PARQUET
LOCATION 'hdfs://namenode:9000/cyber_logs';
MSCK REPAIR TABLE cyber_logs;1. Failed Login Attempts Per User
SELECT user_id, COUNT(*) AS failed_attempts
FROM cyber_security.cyber_logs
WHERE status = 'failure'
GROUP BY user_id ORDER BY failed_attempts DESC;2. Suspicious IP Detection
SELECT ip_address, COUNT(*) AS failure_count
FROM cyber_security.cyber_logs
WHERE status = 'failure'
GROUP BY ip_address HAVING failure_count >= 2
ORDER BY failure_count DESC;3. Region-Wise Attack Count
SELECT
CASE
WHEN ip_address LIKE '10.%' THEN 'North America'
WHEN ip_address LIKE '172.%' THEN 'Europe'
WHEN ip_address LIKE '192.168.%' THEN 'Asia'
ELSE 'Other'
END AS region,
COUNT(*) AS attack_count
FROM cyber_security.cyber_logs
GROUP BY region ORDER BY attack_count DESC;4. Daily Attack Trends
SELECT event_date, COUNT(*) AS attack_count
FROM cyber_security.cyber_logs
GROUP BY event_date ORDER BY event_date;# Rule 1 β User ID: non-null, non-empty, NOT "unknown"
# Rule 2 β Activity: non-null
# Rule 3 β Timestamp: valid ISO 8601, parseable β event_ts
# Rule 4 β IP Address: non-null
# Rule 5 β Status: exactly "success" or "failure"
# Transformations added by Spark
event_ts = to_timestamp(timestamp)
event_date = to_date(event_ts)
# Output
# Format: Parquet
# Path: hdfs://namenode:9000/cyber_logs/event_date=YYYY-MM-DD/
# Checkpoint: hdfs://namenode:9000/cyber_logs_checkpoint| Method | Endpoint | Description |
|---|---|---|
POST |
/upload |
Upload CSV and publish to Kafka |
POST |
/process |
Trigger full pipeline (async) |
GET |
/status |
Real-time pipeline status + event timeline |
GET |
/results |
Analytics tables + base64 chart images |
# Upload CSV
curl -X POST -F "file=@sample_data/cyber_logs_sample.csv" http://localhost:5000/upload
# Trigger processing
curl -X POST http://localhost:5000/process
# Poll status
curl http://localhost:5000/status | jq .
# Get results
curl http://localhost:5000/results | jq .results.tables{
"status": "completed",
"records_uploaded": 163,
"records_processed": 150,
"records_dropped": 13,
"events": [
{"time": "22:12:01", "step": "Kafka", "message": "Kafka publishing queued in background."},
{"time": "22:12:02", "step": "Spark", "message": "Starting validation and cleaning rules on streamed logs."},
{"time": "22:12:20", "step": "Hive", "message": "Preparing Hive external table on HDFS data."},
{"time": "22:12:22", "step": "Analytics", "message": "Generated charts, suspicious activity alerts, and KPI tables."}
]
}sample_data/cyber_logs_sample.csv β 163 records:
user_id,activity_type,timestamp,ip_address,status
alice,login_attempt,2026-04-01T09:00:00Z,10.10.1.10,failure
bob,phishing_click,2026-04-01T11:22:00Z,172.16.2.4,failure
diana,hacking_attempt,2026-04-02T03:15:00Z,203.0.113.45,failure
unknown,login_attempt,2026-04-02T06:00:00Z,10.10.1.15,failureContains: repeated IPs for suspicious detection Β· mixed activity types Β· "unknown" entries (filtered by Spark) Β· both success & failure statuses Β· real attack scenario patterns.
The complete dataset can be downloaded from [https://drive.google.com/drive/folders/1ghUgOM6Sz9Y5HP9vi60ip2JfVF-NolU1?usp=share_link]
| Issue | Fix |
|---|---|
| Frontend won't load | docker logs backend β docker compose restart backend |
| Kafka topic not found | docker exec kafka kafka-topics --bootstrap-server kafka:9092 --create --topic cyber_logs --partitions 1 --replication-factor 1 |
| Spark not processing | docker logs spark Β· docker logs spark | grep -i kafka |
| Hive table empty | docker exec hive-server beeline -u jdbc:hive2://localhost:10000/default -n hive -e "MSCK REPAIR TABLE cyber_security.cyber_logs;" |
| HDFS path missing | docker exec namenode hdfs dfs -mkdir /cyber_logs && hdfs dfs -chmod 777 /cyber_logs |
| Port conflict | Edit port mappings in docker-compose.yml and rebuild |
docker compose down # Stop (keep volumes)
docker compose down -v # Stop and remove all data
docker compose stop # Pause containersHDFS Replication β Increase to 3x in hdfs-site.xml for fault tolerance:
<property>
<name>dfs.replication</name>
<value>3</value>
</property>Spark Scaling β Add extra workers in docker-compose.yml:
spark-worker-2:
image: apache/spark:3.5.1
environment:
SPARK_MASTER_URL: spark://spark-master:7077Hive Sub-Partitioning β For high-volume data:
PARTITIONED BY (event_date DATE, hour INT)Monitoring β Kafka UI (CMAK) Β· Spark UI localhost:8080 Β· HDFS NameNode UI localhost:9870
- Frontend dashboard loads at
http://localhost:5173 - CSV upload succeeds (163 records)
- Kafka topic
cyber_logsreceives all records - Timeline shows all 7 pipeline stages in order
- Record counts display correctly (uploaded β processed β by design)
- 3 charts render with data (bar, line, pie)
- 5 analytics tables populate
- High-severity alerts identified and highlighted
- No critical errors in
docker logs - Total pipeline time β 30 seconds
This project demonstrates:
- Big Data Ingestion β Kafka producer/consumer pattern at scale
- Stream Processing β Spark Structured Streaming with real-time validation
- Distributed Storage β HDFS partitioning and Parquet format efficiency
- SQL Analytics β Hive external tables on distributed file systems
- Full-Stack Integration β React polling a live REST API
- Docker Orchestration β 10-service multi-container coordination
- Data Validation β Filter rules enforced in the streaming layer
- Visualization β Converting raw logs into actionable security insights
| Name | Roll Number |
|---|---|
| Varad Solanke | 24BDS079 |
| Kaivalya Puranik | 24BDS060 |
| Advait Subhedar | 24BDS081 |
| Parth Enkia | 24BDS053 |
| Akash Purbhi | 24BDS061 |
MIT License.



