// chris johnsonField notes on cybersecurity, AI-assisted development, infrastructure, and the craft of shipping things that actually work.
Get a weekly email with what I learned, summaries of new posts, and direct links. No spam, unsubscribe anytime.
Part 6 of the home network dashboard build. The LOG LAKE panel ships a SIEM ingestion-health strip and a GUI firewall query builder that compiles to parameterized ClickHouse under the hood. One PR, two waves, 1193 backend tests at merge. Then deploy day on the live Mac mini produced five production-only bugs in a single afternoon: a readonly-pool 500, a timezone-mixed poll crash that had been firing every five minutes for hours, a 20-day-silent Pi-hole pipeline (two layers stacked), a Vector container reading a stale bind-mounted config, and a UDM doubled-hostname frame that silently broke action derivation for 159,909 rows. The meta-lesson is that the proposed fix for the last one was an invasive Vector source rewrite that the persona team vetoed in favor of an operator toggle and a four-line MV recreation.
Part 6 of the home network dashboard build. The SIEM cutover dropped the DNS search endpoint without replacing it, and the only reason I caught it was clicking into the live dashboard and seeing "Failed to load DNS query log." This post walks the session that put search back: the diagnosis, the brainstorming workflow that pinned down five contested design choices, the five-wave persona dispatch, the parallel reviews that caught a third-scan query and a PII gate divergence, the FastAPI int-Literal gotcha that ate an hour, and a live smoke at 41 results in under 100ms with the sparkline-sum-equals-aggregate-total invariant holding 454 = 454 on the first row.
Part 2 of a 2-part series on replacing the Mission Control Dashboard's SQLite-only event store with a Vector + ClickHouse log-lake. This post walks the 14 implementation phases, the cutover gate that caught 19 column-name drifts, the launchd watchdog bug that almost shipped a 7-second outage on every fsevent, and the persona-rule track record from 137 commits.
The climax of the Wazuh homelab series. deploy-wazuh.yml meets reality, eight bugs cascade across two evenings, the UDM Pro starts forwarding live syslog, three agents enroll across Linux, Pi, and Apple Silicon, and the captain pattern that orchestrated all of it gets an honest retrospective.
How a captain-orchestrated, nine-wave Ansible build went from clean repo to bootstrap-applied on a live HUNSN, including a sudo-rs surprise, a vault leak that demanded an immediate panic-rotate, a group_vars file shadowed by a directory of the same name, and a Multipass dry-run that caught two real playbook bugs before they could touch production.
Part 1 of a 2-part series on replacing the Mission Control Dashboard's SQLite-only event store with a Vector + ClickHouse log-lake on a Mac mini. This post covers the use case, the reasoning behind going custom instead of off-the-shelf, the three ingestion patterns, and the ClickHouse engine choices. Part 2 covers the implementation phases and the gotchas that almost shipped.
Why a security engineer running a small home network picked Wazuh over Splunk, Elastic, and Graylog, what hardware caught the job, and the 29-task implementation plan that went through 5 patches before a single playbook ran against the target server.