defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Terraform
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • Activity Log Streaming
        • Activity log integrations
          • Vector integration guide
          • Logstash integration guide
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Release cycle
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Setup Logstash
  • Add Logstash destination
  • Basic Authentication
  • Logstash integration configuration

Was this helpful?

Edit on GitHub
  1. Enterprise Features
  2. Enteprise features
  3. Activity Log Streaming
  4. Activity log integrations

Logstash integration guide

How to stream activity logs to vector.

PreviousVector integration guideNextStep by step setting up a VPN server

Last updated 15 hours ago

Was this helpful?

serves as a versatile data processing pipeline that ingests, transforms, and forwards logs from various sources to your preferred observability or SIEM tools. With its modular plugin architecture, Logstash enables flexible configuration of inputs, filters, and outputs—making it ideal for adapting log flows to fit evolving infrastructure needs.

This guide demonstrates how to configure a Logstash service running in Docker using Docker Compose to accept HTTP events from defguard and forward them for further processing or storage.

Setup Logstash

Save the following config to logstash.conf . This will setup http input for Logstash on port 8002 and output the incoming data into stdout.

input {
  http {
    port => 8002
    codec => json_lines {
      target => "activity_data"
    }
  }
}
output {
  stdout { codec => rubydebug }
}

Add Logstash service to the docker-compose.yaml and start it.

  logstash:
    image: docker.elastic.co/logstash/logstash:8.14.0
    ports:
      - "8002:8002"
    volumes:
      - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf:ro

Add Logstash destination

In defguard UI with an administrator account, go into settings page and choose Activity log streaming.

Click Add new and choose Vector destination.

Fill out Name and Url fields and click Submit.

That's it! defguard should now be sending activity events to Logstash, and you should see them printed to stdout in the running Logstash container.

To verify that everything is working, try logging in or out of defguard and check if the events appear in the Logstash stdout.

Basic Authentication

Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization header of each request. To enable Basic Authentication for incoming log data, update your Logstash configuration as follows:

input {
  http {
    port => 8002
    codec => json_lines {
      target => "activity_data"
    }
    user => "logstash"
    password => "strongPassword"
  }
}
output {
  stdout { codec => rubydebug }
}

Modify Logstash destination in settings and fillusername and password in settings.

Logstash integration configuration

Name
Example value
Required
Logstash related configuration
Description

Name

Logstash

Assigned name for the destination.

Url

http(s)://127.0.0.1:8002

Address of running vector HTTP source.

Username

logstash

username for Basic Authentication

Password

strongPassword

password for Basic Authentication

Cert

contents of cert.pem

Used for TLS connection

,

Logstash
host
port
user
password
ssl_certificate