Logstash integration guide
How to stream activity logs to vector.
Last updated
Was this helpful?
How to stream activity logs to vector.
Last updated
Was this helpful?
serves as a versatile data processing pipeline that ingests, transforms, and forwards logs from various sources to your preferred observability or SIEM tools. With its modular plugin architecture, Logstash enables flexible configuration of inputs, filters, and outputs—making it ideal for adapting log flows to fit evolving infrastructure needs.
This guide demonstrates how to configure a Logstash service running in Docker using Docker Compose to accept HTTP events from defguard and forward them for further processing or storage.
Save the following config to logstash.conf
. This will setup http input for Logstash on port 8002 and output the incoming data into stdout.
Add Logstash service to the docker-compose.yaml
and start it.
In defguard UI with an administrator account, go into settings page and choose Activity log streaming
.
Click Add new
and choose Vector
destination.
Fill out Name
and Url
fields and click Submit.
That's it! defguard should now be sending activity events to Logstash, and you should see them printed to stdout
in the running Logstash container.
To verify that everything is working, try logging in or out of defguard
and check if the events appear in the Logstash stdout.
Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization
header of each request.
To enable Basic Authentication for incoming log data, update your Logstash configuration as follows:
Modify Logstash destination in settings and fillusername
and password
in settings.
Name
Logstash
Assigned name for the destination.
Url
http(s)://127.0.0.1:8002
Address of running vector HTTP source.
Username
logstash
username for Basic Authentication
Password
strongPassword
password for Basic Authentication
Cert
contents of cert.pem
Used for TLS connection
,