How to Ingest Connector Logs into a SIEM
Twingate Connectors log all events in real time via journald, which is part of the standard systemd suite that is available in all Linux systems. While journald does not come with a built-in method for sending logs and events to remote locations (such as SIEMs), there are several ways to centralize logs from all Connectors.
AWS S3
The easiest way to ingest Twingate logs is by sending them to your AWS S3 bucket. Twingate can send audit logs, network events, and DNS filtering logs every 5 minutes. From there, the data can be sent to your SIEM.
Syslog
Syslog is a standard for message logging and is often used to send logs to a centralized system. You can easily configure journald to automatically forward all messages to syslog:
- Enable real-time connection logs on your Connectors
- In a shell session on the Linux machine hosting your Connector, edit the configuration file for journald:
/etc/systemd/journald.conf
- Search for the following line:
#ForwardToSyslog=yes
- Uncomment the line by removing the
#
- Save the
journald.conf
file - Configure syslog by editing its configuration file (usually located at
/etc/syslog.conf
) for logs to be forwarded to your central syslog server - Restart the Connector
Vector
Vector is a free lightweight utility that can be used to collect logs from sources (such as journald), transform collected logs, and send those logs to remote systems such as AWS Cloudwatch, AWS S3, Datadog, Elasticsearch, GCP Cloud Monitoring, Honeycomb, New Relic, Prometheus, Splunk and many more. (The various possible destinations are what Vector calls ”Sinks”.)
- Enable real-time connection logs on your Connectors
- Install Vector on the machine hosting the Connector
- Create a Vector configuration file (for example
vector.toml
) and specify Sources and Transforms as specified in our documentation - Add the appropriate Sink configuration for your specific SIEM
Datadog (via journald)
The Datadog agent can be configured easily and used to feed the Twingate analytics dashboard. This will require that real-time connection logs are enabled on your Connectors. In order to set up the Datadog agent, follow the instructions from their official documentation.
Last updated 27 days ago