Indeed LinkedIn Github BSG Logo Brightstreet Group
← All posts
IRIS SIEM System Integration: CrowdStrike LogScale

IRIS SIEM System Integration: CrowdStrike LogScale

SecurityInterSystems IRISCrowdStrikeLogScaleSIEMLog Management
Community

Modern security operations require real-time visibility into application and system logs. By integrating InterSystems IRIS with CrowdStrike LogScale (formerly Humio), you can build a powerful Security Information and Event Management (SIEM) pipeline that captures structured data for advanced threat detection and forensics.

The Foundation: Structured Logging

InterSystems IRIS introduced Structured Logging, which allows the system to output logs in a machine-readable format (like JSON). This is a massive leap forward from parsing traditional flat files, as it ensures that every event is captured with its full context and metadata.

Structured Logging Config

The Interceptor: Python Script

To bridge the gap between IRIS and LogScale, we use a Python script as a “Pipe command” for the IRIS Log Daemon. This script reads from stdin (the ^LOGDMN pipe), prepares the LogScale-specific payload, and pushes it to the ingestion API.

#!/usr/bin/env python
import json
import time
import os
import sys
import requests
import socket
from datetime import datetime
from humiolib.HumioClient import HumioIngestClient

# Read from ^LOGDMN Pipe!
input_list = sys.stdin.read().splitlines() 
for irisevent in input_list:
    # Required for CRWD Data Source
    today = datetime.now()
    fqdn = socket.getfqdn()

    payload = [
        {
            "tags": {
                "host": fqdn,
                "source": "irislogd"
            },
            "events": [
                {
                    "timestamp": today.isoformat(sep='T', timespec='auto') + "Z",
                    "attributes": {"irislogd": json.loads(irisevent)} 
                }
            ]
        }
    ]

    client = HumioIngestClient(
        base_url="https://cloud.community.humio.com",
        ingest_token=os.environ["CRWD_LOGSCALE_APIKEY"]
    )
    ingest_response = client.ingest_json_data(payload)

You will want to chmod +x this script and put it where irisowner can enjoy it.

InterSystems IRIS Structured Logging Setup

The IRIS Log Daemon (^LOGDMN) is configured to use our Python script as its output pipe. This ensures that every JSON event generated by IRIS is immediately processed by our script.

%SYS>Do ^LOGDMN
LOGDMN configuration

Minimum level: -1 (DEBUG)
 Pipe command: /tmp/irislogd2crwd.py
       Format: JSON
     Interval: 5

Real-time Visualization in LogScale

Once the logs land in LogScale, you can take advantage of its lightning-fast search capabilities and live dashboards. Because the logs are already structured, you can instantly filter by event type, user, or specific IRIS internal metrics.

LogScale Dashboard

Advanced Forensics

With all IRIS events now indexed in a SIEM, security teams can correlate database activity with other infrastructure events. This provides a holistic view of the security posture and allows for rapid response to potential incidents.

Forensic Analysis

Conclusion

Integrating InterSystems IRIS with CrowdStrike LogScale transforms your database logs into a strategic security asset. By leveraging structured logging and custom Python interceptors, you gain the visibility needed to protect your most critical data workloads in real-time.

Stay secure, and keep logging!