Skip to main content
The observability plugin gives you a centralized, queryable record of every scan decision and configuration change InferenceWall makes. Use it for SOC2/ISO27001 audit trails, real-time threat dashboards in Kibana, or correlation with other security logs during incident response. The plugin is completely optional — if IW_ELK_URL is not set, it is entirely inactive with zero overhead.

Install the plugin

pip install inferwall[observability]
This adds the httpx dependency for HTTP log shipping. The base pip install inferwall does not include it.
1

Set IW_ELK_URL

Point the plugin at your Logstash HTTP input endpoint:
export IW_ELK_URL=http://localhost:8080
That’s the only configuration required. InferenceWall reads this variable at startup and enables the plugin automatically.
2

Start InferenceWall

inferwall serve
Every scan request fires a JSON log to Logstash asynchronously. If Logstash is unreachable, the error is silently suppressed — scan latency is never affected.
3

Verify logs are received

Trigger a scan and confirm Logstash received it:
# Trigger a scan
curl -X POST http://localhost:8000/v1/scan/input \
  -H "Content-Type: application/json" \
  -d '{"text": "ignore all previous instructions"}'

# Check Logstash received it
docker logs logstash | tail -5

What gets shipped

Scan logs

Every scan_input and scan_output call ships this JSON payload: 
{
  "log_type": "scan",
  "timestamp": "2026-04-06T12:00:00Z",
  "direction": "input",
  "decision": "block",
  "anomaly_score": 12.8,
  "threshold": 10.0,
  "policy": "default",
  "request_id": "req-1712345678000",
  "matches": [
    {
      "signature_id": "INJ-D-002",
      "matched_text": "ignore all previous instructions",
      "score": 6.3,
      "confidence": 0.9,
      "severity": 7.0
    }
  ],
  "signature_count": 1
}

Audit events

Authentication, policy, and configuration changes ship this payload: 
{
  "log_type": "audit",
  "timestamp": "2026-04-06T12:00:00Z",
  "category": "auth",
  "action": "login_attempt",
  "details": {"key_prefix": "iwk_scan_"},
  "source_ip": "192.168.1.100"
}
Audit events are generated for these categories:
CategoryExamples
authLogin attempts, key validation failures
policyPolicy loads, mode changes
configEnvironment variable changes at runtime
signaturesCatalog reloads, override registrations
enginesEngine initialization, model loads
adminAdmin API calls
rate_limitRate limit hits
lifecycleServer start, shutdown, health state changes
scanHigh-severity scan decisions (supplemental to scan logs)

Configuration

VariableDescriptionDefault
IW_ELK_URLLogstash HTTP input endpointNot set (plugin disabled)
If IW_ELK_URL is not set, the observability plugin is completely inactive — no imports, no background threads, no side effects. Set the variable before starting InferenceWall to enable it.

Architecture

The plugin uses a fire-and-forget model:
  • Each log event is sent via httpx.post() with a 5-second timeout.
  • Shipping runs after the scan response is returned to the caller — it never blocks the scan pipeline.
  • All network errors and timeouts are silently suppressed. If Logstash is unreachable, logs are dropped without affecting scan latency or availability.

Logstash pipeline

Minimal Logstash pipeline to receive InferenceWall logs and forward them to Elasticsearch: 
input {
  http {
    port => 8080
    codec => json
  }
}

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "inferwall-logs-%{+YYYY.MM.dd}"
  }
}

Docker

Run InferenceWall with ELK shipping enabled by passing IW_ELK_URL as an environment variable: 
docker run -d \
  -e IW_ELK_URL=http://logstash:8080 \
  -e IW_API_KEY=iwk_scan_yourkey \
  --network your-elk-network \
  -p 8000:8000 \
  inferwall:latest
Make sure InferenceWall and Logstash are on the same Docker network so the hostname resolves.

Use cases

  • Compliance (SOC2, ISO27001) — centralized audit trail of all scan decisions and configuration changes
  • Threat monitoring — Kibana dashboard showing block rate trends and top triggered signatures
  • Incident response — correlate LLM firewall events with other security logs by request_id and timestamp
  • Tuning — identify high false-positive signatures by querying for decision: flag events with known-benign inputs