Skip to main content
HTTP destinations POST your organization’s audit logs to a URL you control. Use them for generic webhooks, Splunk HEC, Elastic or OpenSearch ingest, Grafana Loki push endpoints, or any receiver that accepts JSON over HTTP.
Event streaming is only available in Pangolin Cloud or self-hosted Enterprise Edition.

Overview

An HTTP destination sends POST requests to your endpoint. Configure:
  1. Settings: Name, URL, and authentication.
  2. Headers: Optional static headers on every request.
  3. Body: Default JSON shape or a custom body template, plus payload format (how batches are packaged).
  4. Logs: Which log types are forwarded.
Enable Custom body template when your receiver expects a different JSON layout than Pangolin’s default. Leave it off to send the standard { event, timestamp, data } object per log record.

Configure the connection

On the Settings tab, set a display name, the endpoint URL, and authentication:
HTTP destination settings with URL and authentication options
All delivery uses POST. Requests time out after 30 seconds.

Authentication and headers

On the Headers tab, add optional static headers sent with every request, for example a vendor-specific API key or a non-default Content-Type. When you do not override it, Pangolin sends Content-Type: application/json (or application/x-ndjson when using the NDJSON payload format).
Headers tab for adding static HTTP headers

Default payload (template off)

When custom body template is disabled, each log event is serialized as:
The field set inside data depends on the log type. The same destination can stream multiple types; batches may contain heterogeneous data shapes. See Log type reference below and the dedicated log docs for full field lists.
Some columns are stored as JSON strings in the database (headers, query, and metadata on request logs, for example). In data, they appear as string values, not nested JSON objects. Parse them on the receiver if you need structured fields.

Custom body template

On the Body tab, enable Custom body template and provide a JSON template string. Pangolin performs simple placeholder substitution, not a full templating language like Handlebars.
Body tab with custom body template editor

Template variables

Only these three placeholders are supported: Canonical example (equivalent to the default payload):
Remapping property names for a downstream schema:
You may use the same token multiple times and nest placeholders at any depth in your JSON structure. Nested objects and arrays inside the substituted {{data}} value are preserved from the log row.

Rules and constraints

  • Simple substitution only: No conditionals, loops, filters, or expressions.
  • No field paths: Placeholders like {{data.orgId}}, {{orgId}}, or {{ip}} do not work. To use a single field, read it from the full data object on the receiver or transform after ingest.
  • Quote {{data}} correctly: "field": {{data}} is valid; "field": "{{data}}" stringifies the object incorrectly and produces invalid or useless JSON.
  • One template per destination: The same template applies to every log type enabled on that destination. You cannot define different templates per log type on one HTTP destination.
  • String escaping: {{event}} and {{timestamp}} are JSON-escaped for safe use inside quoted strings.
  • Invalid JSON: Pangolin does not validate templates at save time. If the rendered body is not valid JSON, delivery may still occur but your receiver may reject it. Validate templates with a JSON linter before saving.
  • Not available on other destination types: Body templates apply to HTTP streaming only, not S3 or Datadog destinations.

Payload format

Payload format is separate from the body template. The template defines the shape of one event; payload format controls how many events are sent per HTTP request. The template is applied once per event, then results are batched into an array, joined as NDJSON lines, or sent individually, depending on the format you select. Choose NDJSON for aggregators that expect newline-delimited ingest (Splunk HEC, Elastic/OpenSearch bulk-style HTTP inputs, Loki). Choose one event per request when the endpoint cannot accept batches.

Log type reference

The data object in each streamed event is the full stored log row. Field sets differ by log type. See the documentation for that log type under Logs & Analytics for the complete data shape.

Integration examples

Generic webhook (default shape, JSON array)

Leave custom body template disabled. Select JSON array payload format. Point the destination at your webhook URL with bearer or custom-header auth. Each batch POST body looks like:

Log aggregator (NDJSON, minimal template)

Enable a custom template and select NDJSON:
Each line in the POST body is one rendered event. Set any vendor-required headers on the Headers tab.

Vendor schema remapping

If a tool expects your log row under a specific key, wrap {{data}} without quotes:
Adjust property names to match the vendor; field extraction beyond the three template variables happens on the receiver.

Limitations and troubleshooting

  • Field selection: Cannot pick individual columns in the template. Use full {{data}} or transform after delivery.
  • Mixed log types: Enabling multiple log types on one destination produces heterogeneous data in the same batch. Enable one type per destination if your pipeline expects a uniform schema.
  • Historical logs: New destinations do not backfill. Only events recorded after the destination is created are streamed.
  • Delivery errors: Check the destination’s last error in the dashboard. Common causes: wrong URL, auth failure, TLS issues, or receiver rejecting malformed JSON.
  • Quoting {{data}}: "payload": "{{data}}" treats the entire row as a string, which is almost always wrong. Use "payload": {{data}}.
  • Splunk field extraction: Pangolin does not emit Splunk-style indexed fields in the template. Parse data or use a receiver-side pipeline.