Skip to content

Syslog & File Logging

Trapster can send alerts to syslog receivers. Community Edition configures logging in trapster.conf; Enterprise configures syslog from the dashboard.

Enterprise Edition Enterprise

Configure syslog from Settings > Integrations > Syslog. You can add multiple destinations.

FieldDescription
HostIP or hostname of your syslog receiver
PortReceiver port (default 514)
ProtocolUDP or TCP
SeveritySyslog severity level (0–10)
TLSEnable for TCP with TLS

Trapster sends incidents and events in CEF (Common Event Format), not raw JSON. This works with Splunk, Elastic, Graylog, QRadar, Wazuh, and Microsoft Sentinel when the collector is configured to parse CEF.

Use Send test from the syslog row menu to verify connectivity.

Community Edition Community

Community Edition logging is configured in the logger block of trapster.conf. Two independent axes:

AxisOptionsDescription
formatdefault, ecsHow events are structured
outputterminal, file, api, redisWhere events are sent

Combine them freely, for example default JSON to terminal, default JSON to an API endpoint, or ECS to a file. See Alerting overview for the full channel list.

Only one output channel is active at a time. To fan out to multiple destinations, point api at a collector or run a log shipper on a file output.

Event types

Each module can emit up to four event actions. They appear in the logtype field as <protocol>.<action> (for example ftp.login, dns.query):

ActionMeaning
connectionA connection was made to the module
dataRaw payload received (hex-encoded in the data field)
loginAuthentication attempt
queryProcessed protocol request that is not an authentication attempt

HTTP/HTTPS map requests to login or query events depending on method and body content. See each detection service guide for protocol-specific behavior.

Default format

The original Trapster JSON structure:

json
{
  "device": "trapster-1",
  "logtype": "ftp.login",
  "dst_ip": "10.0.0.10",
  "dst_port": 21,
  "src_ip": "10.0.0.50",
  "src_port": 49152,
  "timestamp": "2026-05-08 10:00:00.123456",
  "data": "68656c6c6f",
  "extra": {
    "username": "admin",
    "password": "admin"
  }
}

ECS format

Elastic Common Schema with protocol details under trapster.<protocol>.*:

json
{
  "@timestamp": "2026-05-08T10:00:00.123456Z",
  "ecs": { "version": "8.11.0" },
  "event": {
    "category": ["authentication", "network"],
    "type": ["start", "info"],
    "action": "login",
    "outcome": "failure",
    "dataset": "trapster.ftp"
  },
  "network": {
    "transport": "tcp",
    "protocol": "ftp",
    "application": "ftp",
    "type": "ipv4"
  },
  "trapster": {
    "raw": "68656c6c6f",
    "login": {
      "username": "admin",
      "password": "admin"
    },
    "ftp": {}
  }
}

Set "format": "ecs" in the logger block. Optional kwargs: ecs_version (default 8.11.0), observer_name (default Trapster).

Configuration examples

Default JSON → terminal

json
"logger": {
  "output": "terminal",
  "format": "default",
  "kwargs": {}
}

ECS → API

json
"logger": {
  "output": "api",
  "format": "ecs",
  "kwargs": {
    "url": "https://example.local/ingest",
    "headers": {
      "Authorization": "Bearer <token>"
    }
  }
}

See API & Redis forwarding for more API and Redis examples.

Default JSON → file

json
"logger": {
  "output": "file",
  "format": "default",
  "kwargs": {
    "logfile": "/var/log/trapster-community.log",
    "mode": "a"
  }
}
OptionDescription
logfileAbsolute path to the log file
modea to append (default), w+ to truncate on start

NDJSON files are directly ingestible by most SIEM agents (Elastic Agent, Splunk UF, Filebeat, and similar).

Retrocompatibility

Older configs using name + kwargs still work:

json
"logger": {
  "name": "JsonLogger",
  "kwargs": {}
}

Legacy logger names: JsonLogger, FileLogger, ApiLogger, RedisLogger, EcsLogger.

Stdout (terminal)

Capture the stream with your container runtime or systemd journal:

bash
# Docker
docker compose logs -f

# systemd
journalctl -u trapster-community -f

Use the configuration wizard to set output and format interactively.