How to Ingest Connector Logs into a SIEM

Twingate Connectors log all events in real time via journald, which is part of the standard systemd suite that is available in all Linux systems. While journald does not come with a built-in method for sending logs and events to remote locations (such as SIEMs), there are several ways to centralize logs from all Connectors.

AWS S3

The easiest way to ingest Twingate logs is by sending them to your AWS S3 bucket. Twingate can send audit logs, network events, and DNS filtering logs every 5 minutes. From there, the data can be sent to your SIEM.

Syslog

Syslog is a standard for message logging and is often used to send logs to a centralized system. You can easily configure journald to automatically forward all messages to syslog:

  • Enable real-time connection logs on your Connectors
  • In a shell session on the Linux machine hosting your Connector, edit the configuration file for journald: /etc/systemd/journald.conf
  • Search for the following line:
    #ForwardToSyslog=yes
  • Uncomment the line by removing the #
  • Save the journald.conf file
  • Configure syslog by editing its configuration file (usually located at /etc/syslog.conf) for logs to be forwarded to your central syslog server
  • Restart the Connector

Vector

Vector is a free lightweight utility that can be used to collect logs from sources (such as journald), transform collected logs, and send those logs to remote systems such as AWS Cloudwatch, AWS S3, Datadog, Elasticsearch, GCP Cloud Monitoring, Honeycomb, New Relic, Prometheus, Splunk and many more. (The various possible destinations are what Vector calls ”Sinks”.)

Datadog (via journald)

The Datadog agent can be configured easily and used to feed the Twingate analytics dashboard. This will require that real-time connection logs are enabled on your Connectors. In order to set up the Datadog agent, follow the instructions from their official documentation.

Last updated 4 months ago