API & Redis Event Forwarding
Enterprise Edition Enterprise
Enterprise does not use the Community logger block. Push alerts from Settings > Integrations (webhooks, syslog, emails). Pull incidents with the REST API. Live triage happens on the Incidents page - see Incidents and Threat Graph.
Community Edition Community
API output - POST events to an HTTP endpoint
Use "output": "api" to POST each event as JSON to any HTTP endpoint: a custom collector, a SIEM HTTP input, or a webhook receiver.
json
"logger": {
"output": "api",
"format": "default",
"kwargs": {
"url": "https://your-collector.example.com/api/v1/event/",
"headers": {
"Authorization": "Bearer <token>",
"Content-Type": "application/json"
}
}
}| Option | Description |
|---|---|
url | Full URL of the receiving endpoint |
headers | HTTP headers sent with every request |
The POST body is the event JSON. Set "format": "ecs" to send in ECS format - see ECS format.
Examples
Forward to Splunk HEC:
json
"logger": {
"output": "api",
"format": "default",
"kwargs": {
"url": "https://splunk:8088/services/collector/event",
"headers": { "Authorization": "Splunk <hec-token>" }
}
}Forward in ECS format to Elastic:
json
"logger": {
"output": "api",
"format": "ecs",
"kwargs": {
"url": "https://logstash:5044/trapster",
"headers": { "Content-Type": "application/json" },
"ecs_version": "8.11.0",
"observer_name": "Trapster"
}
}Redis output - push to a Redis queue
Use "output": "redis" to push each event as a JSON string to a Redis list. Useful when you have a Redis-based event pipeline or want to decouple collection from processing.
json
"logger": {
"output": "redis",
"format": "default",
"kwargs": {
"host": "localhost",
"port": 6379
}
}| Option | Description |
|---|---|
host | Redis server hostname or IP |
port | Redis port (default 6379) |
Events are pushed to a Redis list as JSON strings.
