How to Ingest Connector Logs into a SIEM

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Twingate Connectors log all events in real time via journald, which is part of the standard systemd suite that is available in all Linux systems. While journald does not come with a built-in method for sending logs and events to remote locations (such as SIEMs), there are several ways to centralize logs from all Connectors.

AWS S3

The easiest way to ingest Twingate logs is by sending them to your AWS S3 bucket. Twingate can send audit logs, network events, and DNS filtering logs every 5 minutes. From there, the data can be sent to your SIEM.

Syslog

Syslog is a standard for message logging and is often used to send logs to a centralized system. You can easily configure journald to automatically forward all messages to syslog:

Enable real-time connection logs on your Connectors
In a shell session on the Linux machine hosting your Connector, edit the configuration file for journald: /etc/systemd/journald.conf
Search for the following line:
```
#ForwardToSyslog=yes
```
Uncomment the line by removing the #
Save the journald.conf file
Configure syslog by editing its configuration file (usually located at /etc/syslog.conf) for logs to be forwarded to your central syslog server
Restart the Connector

Vector

Vector is a free lightweight utility that can be used to collect logs from sources (such as journald), transform collected logs, and send those logs to remote systems such as AWS Cloudwatch, AWS S3, Datadog, Elasticsearch, GCP Cloud Monitoring, Honeycomb, New Relic, Prometheus, Splunk and many more. (The various possible destinations are what Vector calls ”Sinks”.)

Enable real-time connection logs on your Connectors
Install Vector on the machine hosting the Connector
Create a Vector configuration file (for example vector.toml) and specify Sources and Transforms as specified in our documentation
Add the appropriate Sink configuration for your specific SIEM

Datadog (via journald)

The Datadog agent can be configured easily and used to feed the Twingate analytics dashboard. This will require that real-time connection logs are enabled on your Connectors. In order to set up the Datadog agent, follow the instructions from their official documentation.

Last updated 3 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription