How It Works

Learn about the different ways to generate and send logs to your security platform

Logs from the Catalog or your uploads are processed: events are extracted, normalized, and converted to the format your destination expects. They are then sent directly to your configured security platform—no agents or ingestion endpoints required. See Supported Log Types for accepted formats.

Logcannon

Catalog / Upload
Process & Transform
Destination

On-demand. No agents. Direct to your configured destination.

Traditional

Endpoints / Apps
Agents / Collectors
Ingestion Endpoint
Destination

Real-time stream. Requires agents and an ingestion pipeline.

Destination compatibility

Alignment to log format fidelity may differ depending on your destination's compatibility. See Supported Destinations for details.

Catalog

Browse and use pre-populated log samples from trusted sources. See Catalog Sources for the list of repositories. The Catalog provides access to a curated collection of real-world log samples that are pre-processed and ready to use for use in your security platform.

How it works

  1. Browse the catalog to find log samples by type, MITRE ATT&CK® tactic or technique, or search terms
  2. Select a log entry to view its metadata (event count, file size, description)
  3. Configure your destination settings
  4. Submit the log for processing - it will be sent directly to your security platform
  5. Track the processing status and view results in your security platform

Note

Catalog logs are stored in cloud storage and processed on-demand. No file upload is required - simply select a log and configure your destination.

Insert

Upload your own log files for processing and analysis. The Insert feature allows you to upload log files for processing and sending to your security platform. This is useful for testing detections with logs from your own environment.

How it works

  1. Upload a log file from your local system
  2. Configure your destination settings
  3. The file is securely uploaded and processed
  4. Events are extracted, normalized, and sent to your configured security platform
  5. Monitor processing status and verify logs appear in your security platform

Supported formats

Files are processed automatically to the appropriate format for your destination. See Supported Log Types for accepted formats.

Common Workflow

Regardless of which method you use, the general workflow is the same:

  1. Configure your destination in Settings (see Configuration)
  2. Select or create your log source (Catalog or Upload)
  3. Submit for processing
  4. Monitor the job status
  5. Verify logs appear in your security platform
  6. Test your detections and queries