Skip to content

Alerting

Trapster can surface detections in the dashboard and forward them to email, chat, syslog, or SIEM pipelines.

Enterprise Edition Enterprise

Enterprise adds the Incidents page and multiple outbound channels that can run at the same time. Configuration lives under Settings:

LayerWherePurpose
User notificationsSettings > NotificationsEmail preference for your Trapster account (all incidents, login attempts only, or off)
Organization integrationsSettings > IntegrationsShared channels for the SOC: distribution emails, webhooks, syslog

Organization integration channels

ChannelGuide
Dashboard (Incidents, Threat Graph)Dashboard
Email (distribution addresses)Email
Webhooks (Teams, Slack, Splunk HEC, Sekoia, custom HTTP)Webhooks
Syslog (CEF over UDP/TCP/TLS)Syslog
Sekoia (native webhook type)Sekoia

Splunk HEC is configured as a webhook type, not a separate settings page. Microsoft Sentinel and Wazuh are supported via syslog or a custom webhook - see those guides for collector-side setup.

For programmatic access to incidents, use the REST API.

Community Edition Community

Alerting is configured in the logger section of trapster.conf. Two axes: output (where events go) and format (how they are structured).

json
"logger": {
  "output": "terminal",
  "format": "default",
  "kwargs": {}
}

Output channels

outputDescriptionGuide
terminalJSON to stdout (default)Syslog & file logging
fileJSON to a file on diskSyslog & file logging
apiPOST events to an HTTP endpointAPI & Redis
redisPush events to a Redis listAPI & Redis

Log formats

formatDescriptionGuide
defaultTrapster native JSONEvent types & examples
ecsElastic Common Schema (ECS)ECS format

Example combinations from the README:

  • default + terminal: JSON to stdout (Docker logs, systemd journal)
  • default + api: POST JSON to an HTTP endpoint
  • ecs + api: POST ECS events to Elastic or Wazuh

Use the configuration wizard to set both fields interactively.

Only one output channel is active at a time. To fan out to multiple destinations, point api at a collector or run a log shipper on a file output.

What gets forwarded

Enterprise integrations receive incidents (and optionally raw events, depending on the webhook action). Payloads follow the incident API schema: source IP, service, category, device, namespace, timestamps, and description. Webhook and syslog consumers receive structured JSON or CEF derived from that schema.

Community loggers emit per-connection events with actions connection, data, login, and query. See Event types for the full reference and JSON examples.