How to Ingest Connector Logs into a SIEM

Twingate Connectors log all events in real time via journald, which is part of the standard systemd suite that is available in all Linux systems. While journald does not come with a built-in method for sending logs and events to remote locations (such as SIEMs), there are several ways to centralize logs from all Connectors.


All the methods described on this page assume real-time connection logs have been enabled for your Connectors. Let’s review several of the many options available to centralize Connector logs.


Syslog is a standard for message logging and is often used to send logs to a centralized system. You can easily configure journald to automatically forward all messages to syslog:

  • In a shell session on the Linux machine hosting your Connector, edit the configuration file for journald: /etc/systemd/journald.conf
  • Search for the following line:
  • Uncomment the line by removing the #
  • Save the journald.conf file
  • Configure syslog by editing its configuration file (usually located at /etc/syslog.conf) for logs to be forwarded to your central syslog server
  • Restart the Connector


Vector is a free lightweight utility that can be used to collect logs from sources (such as journald), transform collected logs, and send those logs to remote systems such as AWS Cloudwatch, AWS S3, Datadog, Elasticsearch, GCP Cloud Monitoring, Honeycomb, New Relic, Prometheus, Splunk and many more. (The various possible destinations are what Vector calls ”Sinks”.)

  • Install Vector on the machine hosting the Connector
  • Create a Vector configuration file (for example vector.toml) and specify Sources and Transforms as specified in our documentation
  • Add the appropriate Sink configuration for your specific SIEM

Datadog (via journald)

The Datadog agent can be configured easily and used to feed the Twingate analytics dashboard. In order to set it up, follow the instructions from the official Datadog documentation.

Last updated 3 months ago