winauthmon-server

A login monitoring system built with Flask that tracks user authentication events across Windows domains. Features multi-tenancy support. Windows monitoring agent: https://github.com/ghostersk/winauthmon-agent

Architecture

Core Components

winauthmon-agent/
├── app.py                    # Main Flask application with Uvicorn ASGI server
├── extensions.py             # Flask extensions and configuration
├── config.ini               # Configuration file with multiple database support
├── requirements.txt          # Python dependencies
└── run.sh                   # Application startup script

├── auth/                   # Authentication & Authorization Module
│   ├── models.py           # User, Company, ApiKey, Settings models
│   ├── routes.py           # Auth routes (login, register, MFA, admin)
│   └── forms.py            # WTForms for validation

├── api/                     # REST API Module
│   ├── models.py           # Log, ErrorLog models
│   └── routes.py           # API endpoints (/log_event, /health)

├── frontend/                # Web Interface Module
│   ├── routes.py           # Dashboard, reports, home routes
│   └── models.py           # Frontend-specific models

├── utils/                   # Utility Modules
│   ├── security_headers.py  # Security headers middleware
│   ├── rate_limiter.py     # Rate limiting with Redis support
│   └── health_check.py     # System health monitoring

├── templates/              # Jinja2 Templates
│   ├── base.html          # Base template with dark theme
│   ├── auth/              # Authentication templates
│   └── frontend/          # Dashboard and report templates

├── static/                 # Static Assets
│   ├── css/               # Bootstrap 5, DataTables, custom CSS
│   ├── js/                # jQuery, DataTables, charts, custom JS
│   └── img/               # Icons and images

├── windows_agent/          # Windows Client
│   └── winagentUSM.exe    # Compiled Windows monitoring agent
         (compiled or downloaded from: https://github.com/ghostersk/winauthmon-agent)                            
└── instance/              # Instance-specific files
    ├── database.db        # SQLite database (default)
    └── certs/            # SSL certificates

🔧 Technology Stack

Backend Framework

Flask: Web framework with blueprint architecture
Uvicorn: ASGI server for production deployment
SQLAlchemy: ORM with support for SQLite, PostgreSQL, MySQL, MSSQL
Flask-Login: Session management and authentication
Flask-WTF: Form handling and CSRF protection

Security & Authentication

Bcrypt: Password hashing
PyOTP: Time-based One-Time Password (TOTP) for MFA
JWT: Optional token-based authentication
CSRF Protection: Built-in token validation
Security Headers: CSP, HSTS, X-Frame-Options
Rate Limiting: IP-based with Redis backend support

Frontend

Bootstrap 5: Responsive UI framework with dark theme
DataTables: Advanced table features with export capabilities
Chart.js: Data visualization for reports
Moment.js: Date/time handling
DateRangePicker: Advanced date selection

Database Support

SQLite: Default (file-based)
PostgreSQL: Production recommended
MySQL/MariaDB: Enterprise support
Microsoft SQL Server: Corporate environments

Deployment

Docker: Containerization ready
Traefik: Reverse proxy with SSL termination
systemd: Linux service integration
SSL/TLS: Built-in HTTPS support

Key Features

Multi-Tenancy

Company Isolation: Complete data separation between organizations
Role-Based Access Control: GlobalAdmin, Admin, CompanyAdmin, User roles
API Key Management: Per-company API keys with usage tracking
User Assignment: Users can belong to multiple companies

Authentication & Security

Multi-Factor Authentication (MFA): TOTP with QR code setup
Flexible MFA Policies: Global enforcement with per-user overrides
Password Policies: Configurable strength requirements
Session Security: Secure cookies, HTTPS enforcement
Rate Limiting: Brute force protection

Monitoring & Logging

Real-time Event Tracking: Login, logout, lock events
Windows Agent Integration: Automated event collection
API Health Monitoring: Database connectivity checks
Error Logging: Structured application error tracking
Audit Trail: Complete user action logging

Dashboard & Reporting

Interactive Dashboard: Real-time login event monitoring
Column Visibility Controls: Customizable table views with localStorage persistence
Time Spent Reports: User session duration analysis
Export Capabilities: CSV, Excel, PDF export
Date Range Filtering: Flexible time period selection

API Capabilities

RESTful API: JSON-based event logging
API Key Authentication: Secure programmatic access
Health Check Endpoint: System status monitoring
Timestamp Flexibility: Multiple format support

Core Tables

-- Authentication
app_auth_users              # User accounts with MFA
app_auth_companies          # Company/organization entities
app_auth_user_companies     # Many-to-many user-company relationships
app_auth_api_keys          # API keys with company association
app_auth_settings          # Global application settings

-- Logging
api_logs                   # Login/logout event records
api_error_logs            # Application error tracking

Key Relationships

Users ↔ Companies (Many-to-Many via UserCompany)
Companies → API Keys (One-to-Many)
API Keys → Logs (One-to-Many)
Users → API Keys (One-to-Many)

Authentication Security

Bcrypt password hashing with configurable rounds
TOTP-based MFA
Session timeout and secure cookie settings
CSRF protection on all forms
Password strength validation

Network Security

HTTPS enforcement with HSTS
Security headers (CSP, X-Frame-Options, etc.)
Proxy support for Traefik/nginx
IP-based rate limiting
Trusted proxy configuration

Application Security

SQL injection prevention via ORM
XSS protection with template escaping
Input validation and sanitization
Error handling without information disclosure

Dashboard Features

Real-time login event display
Advanced filtering and search
Column visibility customization
Export functionality (CSV, Excel, Print)
Responsive design for mobile devices

Reporting Capabilities

Time spent analysis per user
Login frequency reports
Failed authentication tracking
Company-specific analytics

System Monitoring

Database connectivity health checks

🛠️ Configuration

Environment Variables

# Security
SECRET_KEY=your-secret-key-here
SESSION_COOKIE_SECURE=true

# Database
DATABASE_URL=sqlite:///database.db
# or: postgresql://user:pass@host:port/db
# or: mysql+pymysql://user:pass@host:port/db

# Application
APP_DEBUG=false
TIMEZONE=Europe/London

# Server
HOST=0.0.0.0
PORT=8000
SSL_CERTFILE=certs/cert.pem
SSL_KEYFILE=certs/key.pem

Configuration File Structure

[app]           # Application settings
[database]      # Database connection
[server]        # Server configuration
[session]       # Session security
[security]      # Security headers
[cache]         # Static file caching
[proxy]         # Reverse proxy settings
[rate_limiting] # Rate limit configuration

Deployment Options

Development

# Install dependencies
pip install -r requirements.txt

# Generate SSL certificates
openssl req -x509 -newkey rsa:4096 -keyout certs/key.pem -out certs/cert.pem -days 3650 -nodes

# Run application
python app.py

Production with Docker

FROM python:3.11-slim
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
CMD ["python", "app.py"]

Systemd Service

[Unit]
Description=Domain Login Monitor
After=network.target

[Service]
Type=exec
User=www-data
WorkingDirectory=/opt/domain-logons
ExecStart=/opt/domain-logons/.venv/bin/python app.py
Restart=always

[Install]
WantedBy=multi-user.target

📡 API Reference

Authentication

All API endpoints require X-API-Key header with valid API key.

Endpoints

POST /api/log_event

Log authentication events from Windows clients.

Request:

{
  "EventType": "Sign-In|Sign-Out|Lock",
  "UserName": "john.doe",
  "ComputerName": "WORKSTATION-01",
  "IPAddress": "192.168.1.100",
  "Timestamp": "2025-05-25T14:30:00Z",
  "retry": 0
}

Response:

{
  "message": "Event logged successfully",
  "status": "success"
}

POST /api/health

Check system health and API connectivity.

Response:

{
  "status": "ok",
  "message": "Health check passed",
  "timestamp": "2025-05-25T14:30:00+00:00",
  "database": "connected",
  "api_key_verified": true,
  "company_id": 1
}

Windows Client Integration

Compiled Agent

winagentUSM.exe: Standalone Windows executable
Event Log Integration: Monitors Windows Security events
Automatic Retry: Built-in error handling and retry logic
Service Mode: Can run as Windows service
It is build with GO Lang

Default Credentials

Initial Admin Account

Username: superadmin
Email: superadmin@example.com
Password: adminsuper
Role: GlobalAdmin

API Key

Initial API key is automatically generated for the admin account and displayed in Admin Settings.

Database Migration Support

Supported Databases

SQLite: Default, perfect for small-medium deployments
PostgreSQL: Recommended for production (best performance)
MySQL/MariaDB: Enterprise environments
Microsoft SQL Server: Corporate Windows environments

Migration Path

Export data from current database
Update config.ini with new database connection
Run application to auto-create tables
Import data using provided migration scripts

Testing & Validation

API Testing

# Test login event
curl -k -X POST https://localhost:8000/api/log_event \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY" \
  -d '{"EventType": "Sign-In", "UserName": "test", "ComputerName": "TEST-PC", "IPAddress": "192.168.1.100", "Timestamp": "2025-05-25T14:30:00Z"}'

# Test health check
curl -k -X POST https://localhost:8000/api/health \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY"

Web Interface Testing

Navigate to https://localhost:8000
Login with default credentials
Create companies and users
Generate API keys
Test dashboard functionality

Additional Resources

Configuration Reference: config.ini

Languages

Python 53.6%

HTML 43.4%

CSS 2.2%

Dockerfile 0.5%

Shell 0.2%

Other 0.1%

README.md

User Login Monitoring System - Application Information

Overview