search
githubEdit

Vector integration guide

How to stream activity logs to vector.

Vector arrow-up-rightserves as a flexible log pipeline, allowing activity events to be collected, processed, and forwarded to a wide range of SIEM systems. By using Vector, you can transform and route logs as needed, making it easier to integrate with your existing observability tools and adapt to future changes in your logging infrastructure.

The goal is to connect Defguard as HTTP Sourcearrow-up-right in Vector service. This guide uses an example Vector service running in Docker, configured via Docker Compose.

hashtag
Setup Vector

For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose, but you most likely want to follow Vector's guide to deploy arrow-up-rightit in your infrastructure.

hashtag
Vector configuration

Save the following configuration to vector.yaml

sources:
  defguard:
    type: http_server
    address: 0.0.0.0:8001
    encoding: ndjson

sinks:
  console:
    type: console
    inputs:
    - defguard
    target: stdout
    encoding:
      codec: json

This basic configuration adds an HTTP source named defguard and a console sink, which forwards all logs received from defguard to standard output.

Next, add vector service to your docker-compose.yaml file.

Make sure that new vector service is up, and it loaded the configuration, it should print it in stdout:

hashtag
Add Vector destination

In Defguard UI with an administrator account, go into settings page and choose Activity log streaming.

Click Add new and choose Vector destination.

Fill out Name and Url of the form and click Submit.

If your defguard instance is running in the same Docker Compose network as Vector, use http://vector:8001 as the URL instead of http://127.0.0.1, since services in the same Compose network communicate by container name.

That's it! Defguard should now be sending activity events to Vector, and you should see them printed to stdout in the running Vector container.

To verify that everything is working, try logging in or out of defguard and check if the events appear in the Vector stdout.

hashtag
Basic Authentication

Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization header of each request. To enable Basic Authentication for incoming log data, update your Vector configuration as follows:

Next, add the configured username and password in Defguard settings to the Vector destination.

hashtag
TLS

To send logs to a Vector destination over HTTPS, you first need to generate a TLS certificate. The following command uses OpenSSL to create a self-signed certificate for testing purposes:

The command above generates two files: key.pem (private key) and cert.pem (certificate). To use them with Vector, mount both files into the container by updating your Docker Compose configuration:

Next, update Vector config:

Next, copy the contents of cert.pem into the Certificate field in the Vector destination settings. Then, update the URL field to use the https scheme instead of http.

hashtag
Vector integration configuration

Name
Example value
Required
Vector related configuration
Description

Name

Vector

Assigned name for the destination.

Url

http(s)://127.0.0.1:8001

addressarrow-up-right

Address of running vector HTTP source.

Username

vector

auth.usernamearrow-up-right

username for Basic Authentication

Password

strongPassword

auth.passwordarrow-up-right

password for Basic Authentication

Cert

contents of cert.pem

tlsarrow-up-right

Used for TLS connection

PreviousSupported SIEM systems integrationsNextLogstash integration guide