Skip to content

Alert Troubleshooting

I am not receiving alerts

Enterprise Edition Enterprise

  1. Go to Settings > Integrations and verify your channel is enabled
  2. Check that the destination (email, webhook URL, syslog host) is correct
  3. Check Settings > Audit Logs to see if a recent configuration change may have affected alerting
  4. Confirm incidents appear on the Incidents page. If they do, the issue is with the outbound integration, not detection

Community Edition Community

Check that your logger is configured correctly and Trapster is running:

bash
# Verify the process is running
ps aux | grep trapster

# Check logs
docker compose logs -f
# or
journalctl -u trapster-community -f

For APILogger, test the endpoint manually:

bash
curl -X POST https://your-endpoint/api/v1/event/ \
 -H "Authorization: Bearer <token>" \
 -H "Content-Type: application/json" \
 -d '{"test": true}'

Webhook delivery failures

In the dashboard, webhook delivery attempts and errors are shown in the webhook settings. Common causes:

  • The receiving endpoint is unreachable from the Trapster infrastructure
  • The endpoint returned a non-2xx response - check the endpoint logs
  • The webhook URL expired (Teams workflows can expire - regenerate the webhook URL)

Duplicate alerts

If you receive duplicate alerts:

  • Check that you have not configured both Syslog and APILogger pointing at the same destination
  • For Enterprise, ensure a single notification channel is configured per destination

A breadcrumb incident only fires when the attacker uses the credential, not when they read the file. If you see no breadcrumb incidents:

  • Confirm the breadcrumb was deployed correctly (follow the installation steps for the specific type)
  • Test by attempting to connect to the Trapster service using the generated credential from a test machine
  • Verify the Trapster is online and syncing on the Trapsters page
  • Check the Incidents page, breadcrumb triggers appear alongside other incident types