What is Logster
Logster is Logster Support's AI-driven endpoint threat detection platform. It ingests security logs from Windows and Linux endpoints, analyzes them with pre-trained graph neural network models, and surfaces MITRE ATT&CK and zero-day attacks in real time — without requiring manual threat hunting or hand-authored correlation rules. Logster Support's product materials describe the detection model as a new GenAI model for threat hunters.
In one sentence:
Raw endpoint logs → Kafka → Normalize → GNN inference → Alerts → Dashboard.
The problem Logster solves
Conventional rule-based SIEMs are struggling against the modern threat landscape:
- Adaptive, AI-powered attacks change tactics faster than detection engineers can author new rules.
- Polymorphic malware mutates to obfuscate itself, breaking signature detection entirely.
- Rule-based SIEM detection is cumbersome — every new technique demands a new rule, and rules decay as environments evolve.
- SIEMs lack holistic, context-aware analysis — they evaluate events in isolation rather than understanding behaviors across time and across the graph of process, file, and network relationships.
Logster takes a different approach: it treats an endpoint's activity as a graph of behaviors and classifies sliding windows of that graph with a pre-trained model. The model sees the shape of activity, not individual events — which is what lets it recognize attack patterns it has never seen the exact binary for.
How Logster works
Logster's pipeline is composed of five cooperating microservices backed by Apache Kafka, Elasticsearch, and Redis:
- Collection — Endpoint agents (Sysmon + Winlogbeat on Windows; auditd and eBPF on Linux) ship raw events to Kafka topics.
- Normalization — A stateless normalizer service transforms raw events
from each source into a unified
NormalizedEventschema. - Inference — Events are buffered into per-endpoint sliding windows. Every 30 seconds, Logster builds a heterogeneous temporal graph of process, file, network, and script nodes, then runs a 3-layer Graph Attention Network to classify the window as benign or attack.
- Alerts — Attack predictions are deduplicated across a 5-minute window, correlated for lateral movement across a 60-second window, enriched with MITRE ATT&CK technique IDs, and published as structured alerts.
- Presentation — A React dashboard and a FastAPI-based REST API expose alerts, inference results, host summaries, process trees, and analyst feedback endpoints.
For the full pipeline walkthrough, see Enterprise Architecture.
Who Logster is for
Logster is built for security operations center (SOC) teams and the operators that support them:
- SOC analysts who need to triage detections, walk process trees, and record true/false-positive verdicts without stitching together five different consoles. See the Dashboard User Guide.
- Detection engineers who want graph-based ML detections alongside (or replacing) their existing rule-based SIEM pipeline.
- Platform / SRE teams responsible for standing up, configuring, and keeping Logster healthy at enterprise scale. See the Admin Guide.
- Security architects evaluating whether Logster fits their data residency, compliance, and detection requirements. See the Licensing Guide for deployment options.
What Logster detects
Logster is designed to surface activity across the following MITRE ATT&CK tactics (from Logster Support's product materials):
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command & Control
- Impact
- Exfiltration
TBD — specific technique coverage.
The specific MITRE ATT&CK technique IDs (e.g.
T1059.001) that the currently-shipped models detect should be populated from Logster Support's published model release notes, or from empirical review ofttp_techniquesvalues on real alerts in your deployment. Do not enumerate techniques here speculatively.
Each detected alert carries one or more MITRE technique IDs in its
ttp_techniques field. See the
Dashboard User Guide for how these
surface in the UI.
Supported platforms
Logster currently supports endpoint collection on:
- Microsoft Windows — all Server and Desktop versions, via Sysmon + PowerShell event logging shipped through Winlogbeat, Splunk Universal Forwarder, or Windows Subscription Logging.
- Linux — all major distributions (including Ubuntu), via the auditd daemon and eBPF process/file/network collectors, shipped through rsyslog, Splunk Universal Forwarder, or syslog-ng.
- macOS — supported as an endpoint.
For the full matrix of supported ingestion agents, see Key Features.
What Logster is not
To set expectations clearly:
- Logster is not a SIEM. It does not replace your log retention, compliance reporting, or raw search tooling. Logster focuses narrowly on real-time threat detection and analyst triage. It can live alongside an existing SIEM.
- Logster does not ship rules. There is no rule pack to tune. Detection is driven entirely by pre-trained models that Logster Support ships and updates.
- Logster is not an EDR. It does not execute response actions on endpoints (kill process, quarantine host, block IP). It surfaces detections; response is your SOAR's job.
- Logster does not do network inspection. It reasons over endpoint telemetry, not packet captures or NetFlow.
Where to go next
- Stand up a local Logster stack → Admin Guide: Installation
- See the end-to-end architecture → Enterprise Architecture
- Understand the feature surface → Key Features
- Start investigating alerts as an analyst → Dashboard User Guide