Syslog & File Logging
Trapster can send alerts to syslog receivers. Community Edition configures logging in trapster.conf; Enterprise configures syslog from the dashboard.
Enterprise Edition Enterprise
Configure syslog from Settings > Integrations > Syslog. You can add multiple destinations.
| Field | Description |
|---|---|
| Host | IP or hostname of your syslog receiver |
| Port | Receiver port (default 514) |
| Protocol | UDP or TCP |
| Severity | Syslog severity level (0–10) |
| TLS | Enable for TCP with TLS |
Trapster sends incidents and events in CEF (Common Event Format), not raw JSON. This works with Splunk, Elastic, Graylog, QRadar, Wazuh, and Microsoft Sentinel when the collector is configured to parse CEF.
Use Send test from the syslog row menu to verify connectivity.
Community Edition Community
Community Edition logging is configured in the logger block of trapster.conf. Two independent axes:
| Axis | Options | Description |
|---|---|---|
format | default, ecs | How events are structured |
output | terminal, file, api, redis | Where events are sent |
Combine them freely, for example default JSON to terminal, default JSON to an API endpoint, or ECS to a file. See Alerting overview for the full channel list.
Only one output channel is active at a time. To fan out to multiple destinations, point api at a collector or run a log shipper on a file output.
Event types
Each module can emit up to four event actions. They appear in the logtype field as <protocol>.<action> (for example ftp.login, dns.query):
| Action | Meaning |
|---|---|
connection | A connection was made to the module |
data | Raw payload received (hex-encoded in the data field) |
login | Authentication attempt |
query | Processed protocol request that is not an authentication attempt |
HTTP/HTTPS map requests to login or query events depending on method and body content. See each detection service guide for protocol-specific behavior.
Default format
The original Trapster JSON structure:
{
"device": "trapster-1",
"logtype": "ftp.login",
"dst_ip": "10.0.0.10",
"dst_port": 21,
"src_ip": "10.0.0.50",
"src_port": 49152,
"timestamp": "2026-05-08 10:00:00.123456",
"data": "68656c6c6f",
"extra": {
"username": "admin",
"password": "admin"
}
}ECS format
Elastic Common Schema with protocol details under trapster.<protocol>.*:
{
"@timestamp": "2026-05-08T10:00:00.123456Z",
"ecs": { "version": "8.11.0" },
"event": {
"category": ["authentication", "network"],
"type": ["start", "info"],
"action": "login",
"outcome": "failure",
"dataset": "trapster.ftp"
},
"network": {
"transport": "tcp",
"protocol": "ftp",
"application": "ftp",
"type": "ipv4"
},
"trapster": {
"raw": "68656c6c6f",
"login": {
"username": "admin",
"password": "admin"
},
"ftp": {}
}
}Set "format": "ecs" in the logger block. Optional kwargs: ecs_version (default 8.11.0), observer_name (default Trapster).
Configuration examples
Default JSON → terminal
"logger": {
"output": "terminal",
"format": "default",
"kwargs": {}
}ECS → API
"logger": {
"output": "api",
"format": "ecs",
"kwargs": {
"url": "https://example.local/ingest",
"headers": {
"Authorization": "Bearer <token>"
}
}
}See API & Redis forwarding for more API and Redis examples.
Default JSON → file
"logger": {
"output": "file",
"format": "default",
"kwargs": {
"logfile": "/var/log/trapster-community.log",
"mode": "a"
}
}| Option | Description |
|---|---|
logfile | Absolute path to the log file |
mode | a to append (default), w+ to truncate on start |
NDJSON files are directly ingestible by most SIEM agents (Elastic Agent, Splunk UF, Filebeat, and similar).
Retrocompatibility
Older configs using name + kwargs still work:
"logger": {
"name": "JsonLogger",
"kwargs": {}
}Legacy logger names: JsonLogger, FileLogger, ApiLogger, RedisLogger, EcsLogger.
Stdout (terminal)
Capture the stream with your container runtime or systemd journal:
# Docker
docker compose logs -f
# systemd
journalctl -u trapster-community -fUse the configuration wizard to set output and format interactively.
