docs: re png with mermaid md (#490)

README.md

@@ -26,7 +26,47 @@ Dsiem provides [OSSIM](https://www.alienvault.com/products/ossim)-style correlat
 
 ## How It Works
 
-![Simple Architecture](https://github.com/defenxor/dsiem/blob/master/docs/images/simple-arch.png)
+```mermaid
+flowchart TB
+
+l1 --> |Normalized Logs/Events| e1
+l1 --> |Alarms|e1
+l1 --> |Normalized Logs/Events| d1
+
+f1 --> |Logs| l1
+
+s1 --> |Logs| f1
+s2 --> |Logs| f1
+s3 --> |Logs| f1
+
+d1 --> |Alarms| d2
+d2 --> |Alarms| l1
+d1 --> |Query| d3
+
+subgraph Elasticsearch
+  e1[Elasticsearch]
+end
+
+subgraph Logstash
+  l1[Logstash] 
+end
+
+subgraph Filebeat
+ f1[Syslog/Filebeat]
+end
+
+subgraph Log Sources
+  s1[IDS]
+  s2[Firewall]
+  s3[OS]
+end
+
+subgraph Dsiem
+  d1[Dsiem]
+  d2[Dsiem-filebeat]
+  d3[Threat-Intel/Vulnerability-Info-Sources]
+end
+```
 
 On the diagram above:
 

docs/adv_deployment.md

@@ -2,7 +2,57 @@
 
 Dsiem supports clustering mode for horizontal scalability. In this mode, each instance of dsiem will run either as frontend or backend node, with NATS messaging in between to facilitate communication. The architecture is depicted in the following diagram.
 
-![Advanced Architecture](./images/advanced-arch.png)
+```mermaid
+flowchart TB
+
+l1 --> |Normalized Event| f1
+l1 --> |Normalized Event| f2
+l1 --> |Normalized Event| f3
+
+f1 --> |Normalized Event| m1
+
+m1 --> |Normalized Event| b1
+m1 --> |Normalized Event| b2
+m1 --> |Normalized Event| b3
+
+b1 --> |Query+Cache| v1
+b1 --> |Query+Cache| v2
+
+b1 --> |Alarm|fb
+
+subgraph Logstash
+  l1[Logstash] 
+end
+
+subgraph Dsiem
+  subgraph Frontend
+    f1[fe1]
+    f2[fe2]
+    f3[fe..N]
+  end
+  subgraph Message Queue
+    m1[nats1]
+    m2[nats2]
+    m3[nats..N]
+  end
+  subgraph Backend
+    b1[be1]
+    b2[be2]
+    b3[be..N]
+  end
+end
+
+subgraph Vuln and Intel Sources
+  v1[Moloch-Wise]
+  v2[Nessus-CSV]
+  v3[Others]
+end
+
+subgraph Filebeat
+  fb[Filebeat]
+end
+
+```
 
 ## About the Architecture
 

docs/event_processing.md

@@ -2,7 +2,41 @@
 
 This section provides more details on how event processing works in Dsiem, compared to the rather simplified version description on the main [Readme](https://github.com/defenxor/dsiem/#how-it-works). We'll use the following diagram and <a href="https://github.com/defenxor/dsiem/tree/master/deployments/docker/conf/">Dsiem example Logstash and Filebeat configuration files</a> as reference.
 
-![Event Processing Flow](/docs/images/flow.png)
+```mermaid
+flowchart TB
+
+s1 --> |Incoming Events| l1
+l1 --> |Parsed Logs| e1
+l1 --> |Normalized Events| e1
+l1 --> |Alarms| e1
+l1 --> |Alarm_events| e1
+
+l1 --> |Normalized Events| d1
+
+d1 --> |Alarms| f1
+d1 --> |Alarm_events| f1
+
+f1 --> |Alarms| l1
+f1 --> |Alarm_events| l1
+
+subgraph Sources
+ s1[syslog/Filebeat]
+end
+
+subgraph Aggregation Layer
+ l1[Logstash]
+end
+
+subgraph Storage Layer
+ e1[Elasticsearch]
+end
+
+subgraph SIEM Layer
+ d1[Dsiem]
+ f1[Filebeat]
+end
+
+```
 
 The diagram shows how logstash plays a central role in the event flow. It is therefore important to get an idea of how it works first before diving further. The basic things to understand are: