Alerting
Trapster can surface detections in the dashboard and forward them to email, chat, syslog, or SIEM pipelines.
Enterprise Edition Enterprise
Enterprise adds the Incidents page and multiple outbound channels that can run at the same time. Configuration lives under Settings:
| Layer | Where | Purpose |
|---|---|---|
| User notifications | Settings > Notifications | Email preference for your Trapster account (all incidents, login attempts only, or off) |
| Organization integrations | Settings > Integrations | Shared channels for the SOC: distribution emails, webhooks, syslog |
Organization integration channels
| Channel | Guide |
|---|---|
| Dashboard (Incidents, Threat Graph) | Dashboard |
| Email (distribution addresses) | |
| Webhooks (Teams, Slack, Splunk HEC, Sekoia, custom HTTP) | Webhooks |
| Syslog (CEF over UDP/TCP/TLS) | Syslog |
| Sekoia (native webhook type) | Sekoia |
Splunk HEC is configured as a webhook type, not a separate settings page. Microsoft Sentinel and Wazuh are supported via syslog or a custom webhook - see those guides for collector-side setup.
For programmatic access to incidents, use the REST API.
Community Edition Community
Alerting is configured in the logger section of trapster.conf. Two axes: output (where events go) and format (how they are structured).
"logger": {
"output": "terminal",
"format": "default",
"kwargs": {}
}Output channels
output | Description | Guide |
|---|---|---|
terminal | JSON to stdout (default) | Syslog & file logging |
file | JSON to a file on disk | Syslog & file logging |
api | POST events to an HTTP endpoint | API & Redis |
redis | Push events to a Redis list | API & Redis |
Log formats
format | Description | Guide |
|---|---|---|
default | Trapster native JSON | Event types & examples |
ecs | Elastic Common Schema (ECS) | ECS format |
Example combinations from the README:
default+terminal: JSON to stdout (Docker logs, systemd journal)default+api: POST JSON to an HTTP endpointecs+api: POST ECS events to Elastic or Wazuh
Use the configuration wizard to set both fields interactively.
Only one output channel is active at a time. To fan out to multiple destinations, point api at a collector or run a log shipper on a file output.
What gets forwarded
Enterprise integrations receive incidents (and optionally raw events, depending on the webhook action). Payloads follow the incident API schema: source IP, service, category, device, namespace, timestamps, and description. Webhook and syslog consumers receive structured JSON or CEF derived from that schema.
Community loggers emit per-connection events with actions connection, data, login, and query. See Event types for the full reference and JSON examples.
