Docs · Using Nexus
Fleet: Agent & Manager
The Fleet is a Wazuh-style architecture: many lightweight agents report to one manager, which runs the rule engine and serves the dashboard and CLI.
How it fits together
architecture
nexus-dashboard nexus-cli
(web monitoring) (admin & SOC)
\ /
\ REST API /
v (token) v
┌─────────────────────┐
│ nexus-manager │ rules · alerts · vuln
│ policy · license │ → SQLite (WAL, encrypted)
└──────────┬──────────┘
HTTP + HMAC │ heartbeat · events · policy
┌──────────┴──────────┐
│ nexus-agent │ FIM · logs · SCA
│ syscollector · AR │ offline store-and-forward
└─────────────────────┘Bring up a Fleet
One command, many forms. After
pip install nexus-fleet you get the umbrella command nexus. Run nexus --version to verify the install. Every nexus <sub>below also has a standalone twin (nexus manager run ≡ nexus-manager run).1
Start the manager
On your central host, run the manager. It listens for agents and serves the dashboard on the same port.
bash
nexus manager run --host 0.0.0.0 --port 87652
Grab the enrollment key
Print the credentials the agents and admins will need.
bash
nexus manager info # enrollment key + admin token3
Enroll each endpoint
On every machine you want to monitor, enroll once and start the daemon.
bash
nexus agent enroll --host <manager> --port 8765 --key <ENROLL_KEY>
nexus agent start4
Watch the alerts
Open
http://<manager>:8765/ for the dashboard, or use the CLI.bash
nexus cli --token <ADMIN_TOKEN> alertsUsing the dashboard
The manager serves a built-in web dashboard at http://<manager>:8765/ — no extra install. It is fully offline (your data never leaves the LAN) and bilingual (English / Indonesian, toggle in the top bar). Connect once and it auto-refreshes every 4s.
1
Connect
Enter the manager host, port, and admin token (from
nexus manager info) in the top bar, then click Connect. The status dot turns green when linked. The token is kept in sessionStorage and cleared when you close the tab.2
Navigate the views
The left sidebar groups everything into focused views:
- Overview — live metric cards, license seat usage bar, and recent alerts
- Agents — every endpoint; Scan collects now, Remove frees a seat
- Alerts — rule-engine findings (MITRE ATT&CK); click to ack/resolve or Secure to remediate
- Events — raw telemetry, filterable by severity
- Incidents — related alerts grouped together
- Policy — edit the JSON pushed to all agents
- License — tier, seats, features, and expiry at a glance
- Help — a built-in guide so new operators are never lost
3
Respond
From Alerts, Secure sends a suggested remediation (block IP, enable firewall, kill process). It is dry-run by default — real execution happens only when
policy.active_response is enabled.Seat usage at a glance. The Overview and License views show a live seat bar (agents enrolled ÷ your tier's seats). Free allows 2 agents; Pro is seat-based (default 50); Enterprise is unlimited — so you always know how much head-room you have before enrollment is capped.
What the agent collects
- FIM — baseline checksums of sensitive files with exact before/after hashes
- Log Monitoring — Laravel, Nginx and auth-log decoders
- SCA — security configuration assessment against policy
- Syscollector — software, process and network inventory
- Web/App audit — APP_DEBUG, exposed .env, leaked secrets, source maps
- Active Response — block IP, enable firewall, kill process (dry-run by default)
Works offline. If the manager is unreachable, the agent buffers events locally (store-and-forward) and replays them when the connection returns. Nothing is lost and nothing leaves your network.
Alerts & incidents
The manager scores every event on a 0–15 level, maps it to a MITRE ATT&CK technique, deduplicates noise, and groups related alerts into incidents — so you act on what matters instead of drowning in alert fatigue.