Getting started
This short guide walks you through the basic steps to begin collecting, processing, and analyzing log data in Security Data Lake.
To get started with Security Data Lake, follow these steps:
1. Identify your inputs
Before you begin, determine which inputs you need based on the systems and platforms that will send data to Security Data Lake.
An input is a method through which Security Data Lake receives log messages. Inputs can handle data from different sources, such as:
Syslog from network devices
Beats (e.g., Filebeat or Winlogbeat) from endpoints
HTTP inputs from cloud or custom applications
Each input type defines how messages are formatted, received, and parsed when they arrive in Security Data Lake.
Inputs fall into two main categories:
Listener inputs – These wait for incoming messages from external systems. They open a network port or endpoint and continuously listen for data sent by devices, agents, or applications. Listener inputs are commonly used for real-time log streaming over protocols such as TCP, UDP, HTTP, or gRPC (for example, Syslog, GELF, or OpenTelemetry).
Note
Listener inputs usually run through a forwarder, which securely fetches and transmits the data to Security Data Lake.
Follow steps 2 - 5 to configure your listener inputs.
Pull Inputs – These actively connect to remote services or APIs to retrieve log data at regular intervals. They are typically used for collecting data from cloud platforms, security tools, and SaaS applications (for example, AWS CloudTrail, Microsoft 365, or CrowdStrike).
Note
Pull Inputs can be created directly under System > Inputs and do not require a Forwarder.
Follow step 6 to configure your pull inputs.
For a full list of available inputs, refer to Input types.
2. Create and configure input profiles
Once you know which inputs you need, create your input profiles.
An input profile acts as a collection of input configurations that can be reused across multiple forwarders. For example, you can create one profile for Linux servers that includes Syslog and Filebeat inputs, and another for Windows endpoints with Winlogbeat.
Each input profile will later be assigned to a forwarder.
3. Understand forwarders
A Forwarder is a lightweight agent that securely transmits logs from your local environment to Security Data Lake Cloud. It uses encrypted channels and API tokens for authentication, ensuring your data is sent safely.
You must have at least one forwarder to send data into Security Data Lake, but you can configure multiple forwarders if:
You want to distribute the workload across regions or servers.
You need to handle high data volumes.
You want to organize data sources by environment (e.g., production vs. testing).
For more information on forwarders, refer to Forwarders.
4. Install your forwarders
Before installing your forwarders, you must obtain your API token and ingestion hostname (URL) used for authentication and configuration.
Install the forwarder package on the host machine that will collect and send logs. Follow the installation instructions for your operating system (Linux, Windows, or SUSE).
Make sure the forwarder can communicate with Security Data Lake over the required network ports and has access to the log files or collectors you want to forward.
5. Configure your forwarders and assign input profiles
After installation, configure the forwarder by connecting it to your Security Data Lake environment. Assign one or more input profiles to the forwarder so it knows what data to collect and how to send it.
You can manage active forwarders and monitor their health from System > Forwarders in the Security Data Lake interface.
For more information on configuring forwarders, refer to Configuring a forwarder
6. Configure pull inputs
If your data sources are cloud-native or API-based, you can configure SDL to automatically pull logs from these sources using pull inputs under System > Inputs.
Pull inputs actively connect to external platforms or APIs at scheduled intervals to retrieve data. They are typically used for integrating with cloud services or SaaS applications such as AWS CloudTrail, Microsoft 365, or CrowdStrike.
To configure one, create a new input from the System > Inputs page, select the desired input type, and launch it. After setup, you can associate Illuminate Processing Packs to normalize and enrich incoming data, then start the input to begin collecting logs.
Note
Pull Inputs run directly in SDL and do not require a Forwarder. Use them when SDL can securely access cloud or API data sources over the internet.
For detailed configuration steps, refer to Setting up a new Input.
7. (Optional) Enable Illuminate Packages and Enrichment Features
Once your data is flowing into Security Data Lake, you can extend its visibility and detection capabilities by enabling:
Illuminate packages – Prebuilt content packs that automatically detect and enrich known data types such as authentication logs, firewall events, or cloud telemetry.
Pipelines and Rules – Used to parse, enrich, and route log data.
Lookup Tables and Data Lakes – For enrichment, correlation, and long-term storage.
These features help you normalize your data, add contextual intelligence, and create a foundation for monitoring and alerting.
8. Next steps
To further customize your Security Data Lake experience, follow these steps:
Set your equipment to send logs to the local Forwarder
Check the Forwarder metrics to see if logs are being ingested in your SDL
Set up dashboards and alerts to visualize key metrics.
Explore Data Routing to control where your logs are stored or archived.
Review the Security Data Lake and MDR integration options if you use Bitdefender MDR.
Note
You need to share your Streams with the Bitdefender MDR team so they can access the event data required for investigation, threat hunting, and alert correlation. Sharing these streams ensures that MDR analysts can leverage your existing data pipelines and Illuminate enrichment to provide full visibility and response coverage.