Overview
The Defense Center is the server-side stack of RavenXcope. It is deployed as a single docker-compose project (defense_center-deployment/compose.yml) that runs the backend, the frontend, the Kafka-based event pipeline, and the OpenSearch storage layer.
Scope note: this compose file is the data-pipeline + application deployment. The NATS control plane (the NATS Provisioner and a NATS server) is a separate concern and is not included in this particular compose file — it is wired through backend configuration in environments that enable it.
Service inventory
| Service | Image | Port(s) | Role |
|---|---|---|---|
ravenxcope-backend | …/ravenxcope-backend | 5144 | .NET API (control plane, analytics, threat map). |
ravenxcope-frontend | …/ravenxcope-frontend | 8000 | React SPA. |
sensor-api | …/sensor-snort-service | 50051 | gRPC data collector → Kafka sensor_events. (See note below.) |
broker | confluentinc/cp-kafka:7.8.0 | internal 29092 | Kafka in KRaft mode (single node). |
schema-registry | confluentinc/cp-schema-registry:7.8.0 | 8081 | Avro schema registry. |
event-stream-aggr | …/event-stream-aggr | — | Consumes sensor_events, enriches, produces snort_alerts. |
opensearch-node1 | opensearchproject/opensearch:2 | 9200 | Search/analytics store. |
opensearch-logstash | …/logstash-oss-with-opensearch-output-plugin:8.9.0 | — | snort_alerts → OpenSearch + threat-map topic. |
opensearch-init | curlimages/curl | — | One-shot index/template bootstrap. |
postgres | postgres:17 | 5432 | Relational store (tenants, sensors, users…). |
redis | redis/redis-stack | — | Cache / ephemeral state. |
influxdb | influxdb:2.7 | 8086 | Time-series host metrics + heartbeat status. |
watchtower | containrrr/watchtower | — | Auto-updates labelled containers. |
ops profile (optional)
Two services only start with --profile ops:
| Service | Port | Role |
|---|---|---|
kafka-ui | 9021 | Kafka topic/consumer inspection. |
opensearch-dashboards | 5601 | OpenSearch dashboards. |
RavenXcope does not rely on OpenSearch Dashboards as a product feature — the frontend replaces it. It is included only as an optional ops debugging tool.
Note on sensor-api
This compose deploys the legacy Snort-era sensor-snort-service image as the data collector on :50051. Architecturally this is the same slot as the unified Data Collector (ravenxcope-sensor-suricata server mode). The system is mid-transition; both speak gRPC into the Kafka pipeline. See the Data Plane scenario.
Container topology
Auto-update & volumes
- Watchtower watches containers labelled
com.centurylinklabs.watchtower.enable=true(the backend and frontend) and pulls new images automatically using~/.docker/config.jsonfor registry auth. - Persistent state uses named volumes:
mataelang_kafka_data,mataelang_opensearch_data1,mataelang_redis-data,mataelang_influxdb_data,mataelang_postgres_data.
See Messaging & Storage for the pipeline internals and Configuration for the backend env block.