Architecture

Logystera follows a three-stage architecture: Ingest → Process → Export. Each layer is built for high-throughput Vault (and other JSON) audit pipelines with strict mTLS and multi-tenant isolation.

System Overview

Applications (Vault, K8s, APIs)
    ↓
Forwarder Layer (Fluentd/Fluent Bit)
    ↓
Message Queue (RabbitMQ) ← Redis (state/cache)
    ↓
Consumer & Processor (detection engine)
    ↓
Metric Registries (per-thread)
    ↓
Export Layer (/metrics, /alerts, /health)
    ↓
VictoriaMetrics & Grafana

YAML Rule Engine

Logs are turned into metrics automatically. Pre-built signals detect suspicious activity, failed operations, and abuse patterns without any configuration:

  • Suspicious secret deletes — alerts when production secrets are removed
  • Failed authentication bursts — catches brute-force and credential stuffing
  • Policy violations — flags access outside approved paths
  • Unusual operator activity — highlights off-hours or out-of-pattern operations

Detections are enriched with the actor, path, and request context so you see what happened and who did it — not just that something changed.

Layer 1: Ingestion

Supported Sources

  • File tailing: Direct log file monitoring
  • Fluentd/Fluent Bit: Normalized log forwarding with metadata injection
  • RabbitMQ: Direct queue ingestion for distributed environments
  • API Gateway: Cloud-hosted ingestion endpoint (launched late 2025)

Capabilities

  • Automatic tenant/cluster label injection
  • Multi-source consolidation
  • Buffer management for traffic spikes
  • Backpressure handling

Layer 2: Processing

Processing Features

  • Hot-reload: Rule changes take effect without restart
  • Per-thread registries: Minimal lock contention, parallel processing
  • Dynamic generation: New event types automatically create metrics
  • Dry-run mode: Test rules safely on live data
  • Alert bundling: Intelligent noise reduction and deduplication

Performance Characteristics

  • 400+ events/sec per node
  • <2 second latency from ingest to export
  • Horizontal scalability across distributed environments
  • Zero-downtime reloads for configuration changes

Layer 3: Export

Endpoints

  • /metrics - Prometheus-compatible metrics (multiple registries supported)
  • /alerts - Alert delivery status and history
  • /health - System health and component status
  • /stats - Processing statistics and performance metrics

Integration

  • Native Prometheus scraping
  • Grafana dashboard templates included
  • Webhook delivery (Slack, PagerDuty, custom)
  • Email alerting with retry logic

Infrastructure Dependencies

Required Components

  • RabbitMQ: Message queue for log ingestion (durable, distributed)
  • Redis: State management, caching, and metric storage
  • Prometheus: Metric scraping and storage (customer-managed)
  • Grafana: Visualization and dashboards (customer-managed)

Optional Components

  • Fluentd/Fluent Bit: Log forwarding and normalization
  • PKI Infrastructure: Private certificate authority for mTLS

Deployment Patterns

On-Premises (Traditional)

  • All components deployed in customer infrastructure
  • Full control and data sovereignty
  • Air-gapped environments supported
  • Private PKI for mTLS

Best for: Regulated industries, self-hosted deployments

Cloud-Hosted via API Gateway

  • Logs forwarded to Logystera API Gateway
  • Managed processing infrastructure
  • Faster time to value

Best for: Teams wanting quick deployment, cloud-native environments

Hybrid

  • On-premises processing for sensitive data
  • Cloud-hosted for dev/test environments
  • Mix deployment models per environment

Best for: Organizations with mixed compliance requirements

Security Architecture

Network Security

  • mTLS: All inter-component communication encrypted
  • Private PKI: Customer-controlled certificate authority
  • No inbound connections: All data flows are push-based
  • Air-gap support: No external telemetry required

Data Security

  • No plaintext secrets stored: Only semantic metadata retained
  • Role-based access control: Per-component authentication
  • Audit logging: All admin actions logged
  • Namespace isolation: Multi-tenant data separation

Scalability & Performance

Horizontal Scaling

  • Add processor nodes to increase throughput
  • Independent scaling of consumers vs. exporters
  • Queue-based backpressure handling

Capacity Planning

Architecture scales from small dev environments to enterprise production:

  • Small (1-5M events/day): Single node deployment
  • Medium (5-25M events/day): 2-3 processor nodes, clustered infrastructure
  • Large (25-100M+ events/day): 5+ processor nodes, distributed architecture

Monitoring & Observability

System Metrics

  • Queue depth and lag
  • Processing throughput (events/sec)
  • Thread health and utilization
  • Redis memory usage
  • Metric cardinality tracking

Included Dashboards

  • Logystera System Health: Overall platform status
  • Vault General Dashboard: Cluster-wide Vault visibility
  • Vault Namespace Dashboard: Per-namespace deep-dive
  • Alert Dashboard: Alert delivery and suppression state

Configuration Management

Hot-Reload Support

  • Detection rule changes apply immediately
  • No service restart required
  • Zero-downtime configuration updates

Version Control

  • All configuration stored as code
  • GitOps-friendly deployment
  • Rollback support for rule changes
Logystera Logystera
Monitoring for WordPress and Drupal sites. Install a plugin or module to catch silent failures — cron stalls, failed emails, login attacks, PHP errors — before users report them.
Product
Overview How it works Features Integrations Compare Pricing Changelog Status
Guides
WordPress Cron Not Running WordPress Emails Not Sending Log-Based Monitoring Blog Documentation
Solutions
For Agencies For SMEs For Government For Education For Enterprise Services What Logystera Is FAQ
Legal
Privacy Terms Security Cookies
Company
Contact About
Follow us
Twitter LinkedIn
Copyright © 2026 Logystera. All rights reserved.