Vector integration guide
How to stream activity logs to vector.
Vector serves as a flexible log pipeline, allowing activity events to be collected, processed, and forwarded to a wide range of SIEM systems. By using Vector, you can transform and route logs as needed, making it easier to integrate with your existing observability tools and adapt to future changes in your logging infrastructure.
The goal is to connect defguard as HTTP Source in Vector service. This guide uses an example Vector service running in Docker, configured via Docker Compose.
Setup Vector
For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose but you most likely want to follow Vector's guide to deploy it in your infrastructure.
Vector configuration
Save the following configuration to vector.yaml
sources:
defguard:
type: http_server
address: 0.0.0.0:8001
encoding: ndjson
sinks:
console:
type: console
inputs:
- defguard
target: stdout
encoding:
codec: json
This basic configuration adds an HTTP source named defguard
and a console sink, which forwards all logs received from defguard
to standard output.
Next add vector service to your docker-compose.yaml file.
vector:
image: timberio/vector:latest-alpine
container_name: vector
volumes:
- ./vector.yaml:/etc/vector/vector.yaml:ro
command: ["--config", "/etc/vector/vector.yaml"]
ports:
- "8001:8001"
Make sure that new vector
service is up and it loaded the configuration, it should print it in stdout:
INFO vector::app: Loading configs. paths=["/etc/vector/vector.toml"]
Add Vector destination
In defguard UI with an administrator account, go into settings page and choose Activity log streaming
.
Click Add new
and choose Vector
destination.

Fill out Name
and Url
of the form and click Submit
.
If your defguard
instance is running in the same Docker Compose network as Vector, use http://vector:8001
as the URL instead of http://127.0.0.1
, since services in the same Compose network communicate by container name.

That's it! defguard should now be sending activity events to Vector, and you should see them printed to stdout
in the running Vector container.
To verify that everything is working, try logging in or out of defguard
and check if the events appear in the Vector stdout.
Basic Authentication
Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization
header of each request.
To enable Basic Authentication for incoming log data, update your Vector configuration as follows:
sources:
defguard:
type: http_server
address: 0.0.0.0:8001
encoding: ndjson
auth:
strategy: basic
password: strongPassword
username: vector
Next, add the configured username
and password
in defguard settings to the Vector destination.

TLS
To send logs to a Vector destination over HTTPS, you first need to generate a TLS certificate. The following command uses OpenSSL to create a self-signed certificate for testing purposes:
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=localhost"
The command above generates two files: key.pem
(private key) and cert.pem
(certificate).
To use them with Vector, mount both files into the container by updating your Docker Compose configuration:
vector:
image: timberio/vector:latest-alpine
container_name: vector
volumes:
- ./vector.yaml:/etc/vector/vector.yaml:ro
- ./key.pem:/etc/vector/key.pem:ro
- ./cert.pem:/etc/vector/cert.pem:ro
command: ["--config", "/etc/vector/vector.yaml"]
ports:
- "8001:8001"
Next, update Vector config:
sources:
defguard:
type: http_server
address: 0.0.0.0:8001
encoding: ndjson
auth:
strategy: basic
password: strongPassword
username: vector
tls:
enabled: true
ca_file: /etc/vector/cert.pem
key_file: /etc/vector/key.pem
Next, copy the contents of cert.pem
into the Certificate field in the Vector destination settings. Then, update the URL field to use the https
scheme instead of http
.

Vector integration configuration
Name
Vector
Assigned name for the destination.
Last updated
Was this helpful?