Back to HabeSec

How to Export Your Logs

HabeSec accepts CSV, JSON, JSONL, TXT, Excel, PCAP, and Zeek log files. Use these guides to export logs from your existing security tools.

Download sample files to test first
Sample JSONL Sample CSV Sample JSON
🔵 Microsoft Sentinel
  1. Open Microsoft Sentinel in Azure Portal
  2. Go to Logs in the left menu
  3. Run your KQL query e.g. SecurityEvent | take 1000
  4. Click Export then Export to CSV
  5. Upload the downloaded CSV to HabeSec
Tip: Include columns for IP addresses, timestamps, and event types for the best assessment results.
🟢 Splunk
  1. Run your Splunk search query
  2. Click Export above search results
  3. Select Export as CSV
  4. Set row limit 1,000 to 10,000 rows recommended
  5. Upload the downloaded CSV to HabeSec
Tip: Use | head 5000 in your Splunk query to limit results before exporting.
🟠 Cloudflare
  1. Go to Cloudflare Dashboard and select your domain
  2. Go to Analytics and Logs then Logs
  3. Use Logpush to export to storage, or use HTTP Log Retention
  4. Export as JSON and upload to HabeSec
Tip: Cloudflare logs export as JSON by default HabeSec reads these natively.
🟡 AWS CloudWatch
  1. Open AWS CloudWatch console
  2. Go to Log groups and select your log group
  3. Click Actions then Export data to Amazon S3
  4. Download from S3 and upload to HabeSec
Tip: Use aws logs filter-log-events in AWS CLI to export a manageable sample.
⚪ Nginx / Apache Web Server Logs
  1. Access your server via SSH
  2. Nginx: /var/log/nginx/access.log
  3. Apache: /var/log/apache2/access.log
  4. Export a sample: sudo tail -n 5000 /var/log/nginx/access.log > sample.log
  5. Upload the .log file to HabeSec
Tip: HabeSec reads standard Apache and Nginx combined log format automatically.
🔴 Wireshark PCAP Files
  1. Open Wireshark and capture or open an existing capture
  2. Go to File then Export Specified Packets
  3. Save as .pcap format
  4. Upload directly to HabeSec PCAP files are natively supported
Tip: Keep PCAP files under 10MB. Use display filters to export a representative sample. Select All Packets or a specific time range to ensure sufficient data volume.
🟣 Zeek / Bro Network Logs
  1. Locate your Zeek log directory (typically /opt/zeek/logs/current/)
  2. Select a log file: conn.log, http.log, dns.log, etc.
  3. Upload the .log file directly HabeSec detects Zeek format automatically
Tip: Zeek conn.log and http.log provide the richest data for adversarial analysis.

Format not listed? HabeSec auto-detects most log formats. Contact us at habesec.research@proton.me with your format and we will add support.


Back to HabeSec