Admin Guide: Accessing Logster
Once the stack is running (see Installation), Logster exposes several user-facing interfaces on different ports. This page is the cheat sheet for what lives at each URL, who should use it, and what credentials it expects.
Interface summary
| Interface | URL | Audience | Credentials |
|---|---|---|---|
| Logster Dashboard | http://localhost:5001 | SOC analysts | None by default (DISABLE_AUTH=true) |
| REST API | http://localhost:8080 | Integrations, automation, analysts using curl | None by default |
| REST API — Swagger UI | http://localhost:8080/docs | API developers | None |
| REST API — OpenAPI JSON | http://localhost:8080/openapi.json | SDK generators, API tooling | None |
| Grafana | http://localhost:3000 | Operators monitoring service health | admin / logster |
| Kibana | http://localhost:5601 | Detection engineers exploring raw events | None |
| Prometheus | http://localhost:9090 | Operators debugging metrics scrapes | None |
| Tempo (via Grafana) | http://localhost:3000 → Explore → Tempo | Operators debugging distributed traces | admin / logster |
Logster Dashboard
The primary analyst UI. Reads directly from the logster-events and
logster-inferences Elasticsearch indices and renders host cards,
attack timelines, inference detail, process trees, endpoint insights,
and MITRE TTP distributions.
- URL: http://localhost:5001
- Default credentials: none. Authentication is disabled in the
Compose stack via
DISABLE_AUTH=true. See Authentication for how to change this.
For the full analyst walkthrough, see the Dashboard User Guide.
[!TIP] The dashboard container listens on
5000internally but is published to host port5001. If you see an error like "cannot reach http://localhost:5000", update your bookmark — the correct URL is always:5001.
REST API
The Logster REST API runs as a FastAPI service on port 8080. It
exposes a small set of endpoints for listing alerts, transitioning
alert status, and recording analyst verdicts.
- URL: http://localhost:8080
- Health check:
curl http://localhost:8080/health - Interactive docs: http://localhost:8080/docs
- OpenAPI JSON: http://localhost:8080/openapi.json
For full endpoint-by-endpoint documentation, see the API User Guide.
[!WARNING] The default build has no authentication on the API. Do not expose port
8080to any untrusted network without first putting an auth-enforcing reverse proxy in front of it. See the Security Guide: Configuration.
Grafana
Pre-provisioned dashboards over Prometheus metrics from every Python service.
- URL: http://localhost:3000
- Username:
admin - Password:
logster
Anonymous access is enabled by default (GF_AUTH_ANONYMOUS_ENABLED=true
in deploy/docker-compose.yml), so you
can view dashboards without signing in — signing in is only required to
edit dashboards or change settings.
Use Grafana to watch:
inferences_run— GNN runs per secondactive_endpoints— endpoints with an active sliding windowinference_time_ms— per-run GNN latencyalerts_created— new alerts per seconddeduplicated— merged-by-dedup count
For the full metric list, see Daily Operations: Observability.
[!IMPORTANT] Change the default Grafana password before exposing the stack to any shared environment. Update
GF_SECURITY_ADMIN_PASSWORDin deploy/docker-compose.yml.
Kibana
Free-form exploration of the two Elasticsearch indices Logster writes.
- URL: http://localhost:5601
- Indices to explore:
logster-events,logster-inferences - Credentials: none (ES security is disabled in the dev stack).
Analysts use Kibana when they need to search across raw events in ways the dashboard does not expose — for example, full-text search across command lines, or pivoting from an IP address to every endpoint that communicated with it.
Prometheus
The raw metrics backend that feeds Grafana.
- URL: http://localhost:9090
- Scrape config: deploy/prometheus.yml
Use Prometheus directly when you need to debug why a metric is not
showing up in Grafana — the Targets page under "Status" tells you
which services are successfully being scraped.
Distributed tracing (Tempo)
Every Python service emits OTLP traces through the in-stack OpenTelemetry Collector, which forwards them to Tempo.
- Tempo: http://localhost:3200 (query API, not a UI)
- Accessing traces: Grafana → Explore → choose the "Tempo" data source
Use traces when a request-path question ("why did this alert take 12 seconds to fire?") does not answer itself from metrics alone.
Summary
| I want to... | Go here |
|---|---|
| Investigate an alert | Dashboard |
| List alerts from a script | REST API /alerts |
| Watch service metrics | Grafana |
| Explore raw Sysmon / auditd events | Kibana |
| Debug a scrape target | Prometheus |
| Trace a slow request | Grafana → Explore → Tempo |
Next steps
- Authentication — put real auth in front of the dashboard and API.
- Daily Operations — day-to-day runbook.
- Dashboard User Guide — if you are a SOC analyst.