defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Terraform
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
      • Activity Log Streaming
        • Activity log integrations
          • Vector integration guide
          • Logstash integration guide
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Release cycle
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • Setup Vector
  • Vector configuration
  • Add Vector destination
  • Basic Authentication
  • TLS
  • Vector integration configuration

Was this helpful?

Edit on GitHub
  1. Enterprise Features
  2. Enteprise features
  3. Activity Log Streaming
  4. Activity log integrations

Vector integration guide

How to stream activity logs to vector.

PreviousActivity log integrationsNextLogstash integration guide

Last updated 15 hours ago

Was this helpful?

serves as a flexible log pipeline, allowing activity events to be collected, processed, and forwarded to a wide range of SIEM systems. By using Vector, you can transform and route logs as needed, making it easier to integrate with your existing observability tools and adapt to future changes in your logging infrastructure.

The goal is to connect defguard as in Vector service. This guide uses an example Vector service running in Docker, configured via Docker Compose.

Setup Vector

For the sake of this example we will follow simple Docker deployment of Vector via Docker Compose but you most likely want to follow Vector's guide to it in your infrastructure.

Vector configuration

Save the following configuration to vector.yaml

sources:
  defguard:
    type: http_server
    address: 0.0.0.0:8001
    encoding: ndjson

sinks:
  console:
    type: console
    inputs:
    - defguard
    target: stdout
    encoding:
      codec: json

This basic configuration adds an HTTP source named defguard and a console sink, which forwards all logs received from defguard to standard output.

Next add vector service to your docker-compose.yaml file.

  vector:
    image: timberio/vector:latest-alpine
    container_name: vector
    volumes:
      - ./vector.yaml:/etc/vector/vector.yaml:ro
    command: ["--config", "/etc/vector/vector.yaml"]
    ports:
      - "8001:8001"

Make sure that new vector service is up and it loaded the configuration, it should print it in stdout:

INFO vector::app: Loading configs. paths=["/etc/vector/vector.toml"]

Add Vector destination

In defguard UI with an administrator account, go into settings page and choose Activity log streaming.

Click Add new and choose Vector destination.

Fill out Name and Url of the form and click Submit.

If your defguard instance is running in the same Docker Compose network as Vector, use http://vector:8001 as the URL instead of http://127.0.0.1, since services in the same Compose network communicate by container name.

That's it! defguard should now be sending activity events to Vector, and you should see them printed to stdout in the running Vector container.

To verify that everything is working, try logging in or out of defguard and check if the events appear in the Vector stdout.

Basic Authentication

Basic Authentication is a simple HTTP authentication method that includes a username and password in the Authorization header of each request. To enable Basic Authentication for incoming log data, update your Vector configuration as follows:

sources:
  defguard:
    type: http_server
    address: 0.0.0.0:8001
    encoding: ndjson
    auth:
      strategy: basic
      password: strongPassword
      username: vector

Next, add the configured username and password in defguard settings to the Vector destination.

TLS

To send logs to a Vector destination over HTTPS, you first need to generate a TLS certificate. The following command uses OpenSSL to create a self-signed certificate for testing purposes:

openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365 -subj "/CN=localhost"

The command above generates two files: key.pem (private key) and cert.pem (certificate). To use them with Vector, mount both files into the container by updating your Docker Compose configuration:

  vector:
    image: timberio/vector:latest-alpine
    container_name: vector
    volumes:
      - ./vector.yaml:/etc/vector/vector.yaml:ro
      - ./key.pem:/etc/vector/key.pem:ro
      - ./cert.pem:/etc/vector/cert.pem:ro
    command: ["--config", "/etc/vector/vector.yaml"]
    ports:
      - "8001:8001"

Next, update Vector config:

sources:
  defguard:
    type: http_server
    address: 0.0.0.0:8001
    encoding: ndjson
    auth:
      strategy: basic
      password: strongPassword
      username: vector
    tls:
      enabled: true
      ca_file: /etc/vector/cert.pem
      key_file: /etc/vector/key.pem

Next, copy the contents of cert.pem into the Certificate field in the Vector destination settings. Then, update the URL field to use the https scheme instead of http.

Vector integration configuration

Name
Example value
Required
Vector related configuration
Description

Name

Vector

Assigned name for the destination.

Url

http(s)://127.0.0.1:8001

Address of running vector HTTP source.

Username

vector

username for Basic Authentication

Password

strongPassword

password for Basic Authentication

Cert

contents of cert.pem

Used for TLS connection

Vector
HTTP Source
deploy
address
auth.username
auth.password
tls