Twingate Real-Time Activity Dashboard
Overview
Twingate is a zero trust network access platform that allows fast growing companies to quickly and easily provide secure access to their AWS environment. By incorporating modern technologies such as NAT traversal, QUIC, private proxies, and split tunneling, Twingate can replace a traditional or cloud VPN while improving user performance and overall security.
This integration allows organizations to monitor a user’s resource access activities in real time.
Setup
Prerequisites
- You have the Datadog Agent installed on the Twingate Connector server. You must be able to connect to that host and edit the files to configure the Agent and YAML Integration Configs. To install the Datadog Agent, see Getting Started with the Agent.
- You must deploy the Twingate Connector. To enable real-time connection logs, see the Twingate documentation.
Systemd Connector
- Set up Datadog journald integration.
- Replace
journald.d/conf.yaml with the following configuration: logs:
- type: journald
container_mode: true
include_units:
- twingate-connector.service
service: Twingate Connection
source: Twingate
log_processing_rules:
- type: include_at_match
name: analytics
pattern: ANALYTICS
- type: mask_sequences
name: remove_analytics
replace_placeholder: ""
pattern: "ANALYTICS "
- Add the
dd-agent user to the systemd-journal group by using usermod -a -G systemd-journal dd-agent. - Restart the Datadog Agent by running
service datadog-agent restart. - Confirm that the Twingate Analytic log appears in the Log Explorer.
Docker Connector
Set up Datadog Docker integration for the Host Agent
Add the following lines to the datadog.yaml configuration file:
logs_enabled: true
listeners:
- name: docker
config_providers:
- name: docker
polling: true
logs_config:
container_collect_all: true
container_exclude: ["image:.*"]
container_include: ["image:twingate/connector"]
- Add the
dd-agent user to the docker group by using usermod -a -G docker dd-agent. - Restart the Datadog Agent by running
service datadog-agent restart.
Set up Datadog Docker integration for the Container Agent
Add additional parameters -e DD_CONTAINER_EXCLUDE="image:.*" and -e DD_CONTAINER_INCLUDE="image:twingate/connector" in the docker run command.
docker run -d --name datadog-agent \
--cgroupns host \
--pid host \
-e DD_API_KEY=xxx \
-e DD_LOGS_ENABLED=true \
-e DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=true \
-e DD_CONTAINER_EXCLUDE="image:.*" \
-e DD_CONTAINER_INCLUDE="image:twingate/connector" \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /var/lib/docker/containers:/var/lib/docker/containers:ro \
-v /proc/:/host/proc/:ro \
-v /opt/datadog-agent/run:/opt/datadog-agent/run:rw \
-v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
gcr.io/datadoghq/agent:latest
Set up Twingate Connector with additional docker parameters
Add the label com.datadoghq.ad.logs to the Twingate Connector docker run command:
docker run -d --sysctl net.ipv4.ping_group_range="0 2147483647" \
-l "com.datadoghq.ad.logs"='[{"service":"Twingate Connection","source":"Twingate","log_processing_rules":[{"type":"include_at_match","name":"analytics","pattern":"ANALYTICS"},{"type":"mask_sequences","name":"remove_analytics","replace_placeholder":"","pattern":"ANALYTICS "}]}]' \
--env TENANT_URL="https://xxx.twingate.com" \
--env ACCESS_TOKEN="xxx" \
--env REFRESH_TOKEN="xxx" \
--env TWINGATE_LABEL_HOSTNAME="`hostname`" \
--name "twingate-golden-seal" \
--restart=unless-stopped \
$(docker run --help | grep -- --pull >/dev/null && echo "--pull=always") twingate/connector:1
Note: The Twingate Connector container needs to be recreated to add the new label
Twingate Analytics Dashboard
- Go to the Datadog Dashboard List.
- Search for the Twingate Analytics dashboard.
Troubleshooting
Need help? Contact Twingate Support.
Further Reading
Additional helpful documentation, links, and articles:
