Skip to content

API & Redis Event Forwarding

Enterprise Edition Enterprise

Enterprise does not use the Community logger block. Push alerts from Settings > Integrations (webhooks, syslog, emails). Pull incidents with the REST API. Live triage happens on the Incidents page - see Incidents and Threat Graph.

Community Edition Community

API output - POST events to an HTTP endpoint

Use "output": "api" to POST each event as JSON to any HTTP endpoint: a custom collector, a SIEM HTTP input, or a webhook receiver.

json
"logger": {
  "output": "api",
  "format": "default",
  "kwargs": {
    "url": "https://your-collector.example.com/api/v1/event/",
    "headers": {
      "Authorization": "Bearer <token>",
      "Content-Type": "application/json"
    }
  }
}
OptionDescription
urlFull URL of the receiving endpoint
headersHTTP headers sent with every request

The POST body is the event JSON. Set "format": "ecs" to send in ECS format - see ECS format.

Examples

Forward to Splunk HEC:

json
"logger": {
  "output": "api",
  "format": "default",
  "kwargs": {
    "url": "https://splunk:8088/services/collector/event",
    "headers": { "Authorization": "Splunk <hec-token>" }
  }
}

Forward in ECS format to Elastic:

json
"logger": {
  "output": "api",
  "format": "ecs",
  "kwargs": {
    "url": "https://logstash:5044/trapster",
    "headers": { "Content-Type": "application/json" },
    "ecs_version": "8.11.0",
    "observer_name": "Trapster"
  }
}

Redis output - push to a Redis queue

Use "output": "redis" to push each event as a JSON string to a Redis list. Useful when you have a Redis-based event pipeline or want to decouple collection from processing.

json
"logger": {
  "output": "redis",
  "format": "default",
  "kwargs": {
    "host": "localhost",
    "port": 6379
  }
}
OptionDescription
hostRedis server hostname or IP
portRedis port (default 6379)

Events are pushed to a Redis list as JSON strings.