Skip to content

Kafka Topic Sample Messages

This document contains a sample message from each Kafka topic used in the Logster pipeline.

1. sysmon-logs

Source: Windows endpoints via Winlogbeat (Sysmon events) Partitions: 6

{
  "@timestamp": "2026-03-18T19:07:15.560Z",
  "@metadata": {
    "beat": "winlogbeat",
    "type": "_doc",
    "version": "8.17.0"
  },
  "winlog": {
    "computer_name": "DESKTOP-1NNIMRR",
    "opcode": "Info",
    "user": {
      "name": "SYSTEM",
      "type": "User",
      "identifier": "S-1-5-18",
      "domain": "NT AUTHORITY"
    },
    "process": {
      "pid": 2440,
      "thread": { "id": 4072 }
    },
    "provider_name": "Microsoft-Windows-Sysmon",
    "task": "Network connection detected (rule: NetworkConnect)",
    "event_data": {
      "SourcePort": "51775",
      "DestinationPort": "443",
      "SourceIsIpv6": "false",
      "SourcePortName": "-",
      "DestinationHostname": "-",
      "Initiated": "true",
      "DestinationPortName": "https",
      "ProcessGuid": "{96d8290c-d08c-69b9-2a07-000000000700}",
      "DestinationIsIpv6": "false",
      "User": "DESKTOP-1NNIMRR\\abdullah",
      "Image": "C:\\Users\\abdullah\\AppData\\Local\\Microsoft\\OneDrive\\26.032.0217.0003_1\\OneDrive.Sync.Service.exe",
      "SourceHostname": "DESKTOP-1NNIMRR",
      "SourceIp": "10.0.0.104",
      "DestinationIp": "104.208.16.88",
      "RuleName": "Usermode",
      "ProcessId": "5940",
      "Protocol": "tcp",
      "UtcTime": "2026-03-18 19:07:13.512"
    },
    "record_id": 15978,
    "api": "wineventlog",
    "event_id": "3",
    "version": 5,
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"
  },
  "ecs": { "version": "8.0.0" },
  "agent": {
    "id": "2a833a7b-c356-4be9-ad5f-47b852b21125",
    "name": "DESKTOP-1NNIMRR",
    "type": "winlogbeat",
    "version": "8.17.0",
    "ephemeral_id": "e013ae16-d43d-49f4-b0aa-680f5f129907"
  },
  "event": {
    "action": "Network connection detected (rule: NetworkConnect)",
    "created": "2026-03-18T19:07:16.704Z",
    "code": "3",
    "kind": "event",
    "provider": "Microsoft-Windows-Sysmon"
  },
  "log": { "level": "information" },
  "message": "Network connection detected:\nRuleName: Usermode\nUtcTime: 2026-03-18 19:07:13.512\n...",
  "host": {
    "id": "96d8290c-af9d-41c1-b00a-4b996428677c",
    "ip": ["fe80::d5d4:c2d0:7bdd:f273", "10.0.0.104"],
    "mac": ["BC-24-11-06-ED-B1"],
    "name": "desktop-1nnimrr",
    "hostname": "DESKTOP-1NNIMRR",
    "architecture": "x86_64",
    "os": {
      "platform": "windows",
      "version": "10.0",
      "family": "windows",
      "name": "Windows 10 Pro",
      "kernel": "10.0.19041.6456 (WinBuild.160101.0800)",
      "build": "19045.6466",
      "type": "windows"
    }
  }
}

2. linux-auditd-logs

Source: Linux endpoints via custom agent (auditd) Partitions: 6

{
  "@timestamp": "2026-03-20T01:58:10.344285+05:00",
  "host": {
    "name": "agent-linux-01"
  },
  "log_source": "audit",
  "message": "type=PATH msg=audit(1773953890.204:50364): item=0 name=\"/run/systemd/ask-password-block/\" inode=5375 dev=00:1b mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0\u001DOUID=\"root\" OGID=\"root\""
}

3. linux-ebpf-file-logs

Source: Linux endpoints via custom agent (eBPF file tracer) Partitions: 6

{
  "@timestamp": "2026-03-20T02:24:27.254181+05:00",
  "host": {
    "name": "agent-linux-01"
  },
  "log_source": "file",
  "message": "2026-03-20 02:24:27 [FILE]    pid=23256   snapd            flags=O_RDONLY   /var/lib/snapd/assertions/asserts-v0/model/16/generic/generic-classic/active"
}

4. linux-ebpf-network-logs

Source: Linux endpoints via custom agent (eBPF network tracer) Partitions: 6

{
  "@timestamp": "2026-03-20T02:24:31.785786+05:00",
  "host": {
    "name": "agent-linux-01"
  },
  "log_source": "network",
  "message": "2026-03-20 02:24:31 [CONNECT]  pid=35113   rdk:broker-1     -> 10.0.0.106:29092"
}

5. linux-ebpf-process-logs

Source: Linux endpoints via custom agent (eBPF process tracer) Partitions: 6

{
  "@timestamp": "2026-03-20T02:24:50.451492+05:00",
  "host": {
    "name": "agent-linux-01"
  },
  "log_source": "process",
  "message": "2026-03-20 02:24:50 [EXEC]    pid=35747   ppid=33785   uid=1000  bash             /usr/bin/ls"
}

6. normalized-endpoint-events

Source: Normalizer service (output of normalizing raw logs from topics 1-5) Partitions: 12

{
  "event_id": "88a75eb22b5d4f7c80454702009ec3b6",
  "tenant_id": "default",
  "endpoint_id": "desktop-1nnimrr",
  "platform": "windows",
  "event_type": "process",
  "timestamp": 1773827772.0,
  "data": {
    "process_guid": "{96d8290c-76bc-69ba-ec08-000000000700}",
    "process_id": 2716,
    "image": "C:\\Windows\\System32\\sc.exe",
    "command_line": "\"C:\\Windows\\system32\\sc.exe\" start wuauserv",
    "user": "NT AUTHORITY\\SYSTEM",
    "parent_guid": "{96d8290c-3826-69b7-1a00-000000000700}",
    "parent_image": "C:\\Windows\\System32\\svchost.exe",
    "parent_command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
    "integrity_level": "System",
    "current_directory": "C:\\Windows\\system32\\",
    "hashes": "MD5=3FB5CF71F7E7EB49790CB0E663434D80,SHA256=41F067C3A11B02FE39947F9EBA68AE5C7CB5BD1872A6009A4CD1506554A9ABA9,IMPHASH=803254E010814E69947095A2725B2AFD"
  },
  "raw_event": { "...": "(original sysmon/auditd/ebpf event)" },
  "metadata": {},
  "source_topic": "sysmon-logs",
  "log_source": "sysmon"
}

7. logster-inference-results

Source: Inference service (ML model prediction results) Partitions: 6

{
  "inference_id": "2c5c7b21f3c44a94bc3edab36b412dad",
  "tenant_id": "default",
  "endpoint_id": "agent-linux-01",
  "platform": "linux",
  "prediction": "attack",
  "attack_prob": 0.9999529123306274,
  "confidence": 0.9999529123306274,
  "num_nodes": 3828,
  "num_edges": 0,
  "inference_time_ms": 819.56,
  "timestamp": 1774000405.58,
  "window_start": 1774000374.76,
  "window_end": 1774000376.41,
  "event_ids": [
    "d2dc175bed934ecea30eef30df86c74f",
    "849e8c7c4ab34bc9be0f1dfed19a9314",
    "7fc0ecfadd7744fca52080d01846de10",
    "..."
  ]
}

8. logster-alerts

Source: Alerts service (generated from high-confidence inference results) Partitions: 3

{
  "alert_id": "4de76f0bc24b4e22b3a88cbddb20380d",
  "tenant_id": "default",
  "endpoint_id": "desktop-1nnimrr",
  "severity": "high",
  "status": "open",
  "platform": "windows",
  "attack_prob": 0.8770323991775513,
  "prediction": "attack",
  "confidence": 0.8770323991775513,
  "ttp_techniques": [],
  "ttp_explanation": null,
  "inference_ids": ["dbdcfc44120a4613acc8f65b025960ea"],
  "related_endpoints": [],
  "first_seen": 1774014694.45,
  "last_seen": 1774014694.45,
  "created_at": 1774014694.45,
  "updated_at": 1774014694.45,
  "analyst_notes": "",
  "resolved_by": null,
  "model_name": "",
  "num_nodes": 3,
  "num_edges": 2
}

Pipeline Flow

Raw Ingestion Topics          Processed Topics           Output Topics
─────────────────────         ─────────────────          ──────────────
sysmon-logs            ─┐
linux-auditd-logs       ├──▶ normalized-endpoint-events ──▶ logster-inference-results ──▶ logster-alerts
linux-ebpf-process-logs ┤
linux-ebpf-file-logs    ┤
linux-ebpf-network-logs ┘