Vector integration guide
How to stream activity logs to vector.
Last updated
Was this helpful?
How to stream activity logs to vector.
Last updated
Was this helpful?
serves as a flexible log pipeline, allowing activity events to be collected, processed, and forwarded to a wide range of SIEM systems. By using Vector, you can transform and route logs as needed, making it easier to integrate with your existing observability tools and adapt to future changes in your logging infrastructure.
The goal is to connect defguard as in Vector service. This guide uses an example Vector service running in Docker, configured via Docker Compose.
For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose but you most likely want to follow Vector's guide to it in your infrastructure.
Save the following configuration to vector.yaml
This basic configuration adds an HTTP source named defguard
and a console sink, which forwards all logs received from defguard
to standard output.
Next add vector service to your docker-compose.yaml file.
Make sure that new vector
service is up and it loaded the configuration, it should print it in stdout:
In defguard UI with an administrator account, go into settings page and choose Activity log streaming
.
Click Add new
and choose Vector
destination.
Fill out Name
and Url
of the form and click Submit
.
If your defguard
instance is running in the same Docker Compose network as Vector, use http://vector:8001
as the URL instead of http://127.0.0.1
, since services in the same Compose network communicate by container name.
That's it! defguard should now be sending activity events to Vector, and you should see them printed to stdout
in the running Vector container.
To verify that everything is working, try logging in or out of defguard
and check if the events appear in the Vector stdout.
Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization
header of each request.
To enable Basic Authentication for incoming log data, update your Vector configuration as follows:
Next, add the configured username
and password
in defguard settings to the Vector destination.
To send logs to a Vector destination over HTTPS, you first need to generate a TLS certificate. The following command uses OpenSSL to create a self-signed certificate for testing purposes:
The command above generates two files: key.pem
(private key) and cert.pem
(certificate).
To use them with Vector, mount both files into the container by updating your Docker Compose configuration:
Next, update Vector config:
Next, copy the contents of cert.pem
into the Certificate field in the Vector destination settings. Then, update the URL field to use the https
scheme instead of http
.
Name
Vector
Assigned name for the destination.
Url
http(s)://127.0.0.1:8001
Address of running vector HTTP source.
Username
vector
username for Basic Authentication
Password
strongPassword
password for Basic Authentication
Cert
contents of cert.pem
Used for TLS connection