Migrate from SigNoz

Easy 2-4 hours

Migrate from SigNoz to LogWard for enhanced security capabilities including Sigma detection rules, incident management, and MITRE ATT&CK mapping. Both platforms support OpenTelemetry, making the transition seamless.

Why Migrate from SigNoz?

Built-in SIEM

LogWard includes Sigma detection rules, incident management, and MITRE ATT&CK mapping. SigNoz focuses on observability, not security.

Simpler Architecture

SigNoz uses ClickHouse which requires tuning. LogWard uses PostgreSQL/TimescaleDB for easier operations.

Native OpenTelemetry

Both platforms support OTLP natively. Your existing OTel instrumentation works unchanged - just update the endpoint.

Threat Detection

Security-focused organizations need detection capabilities. LogWard's Sigma rules provide enterprise-grade threat detection.

Feature Comparison

Feature	SigNoz	LogWard
OpenTelemetry	Native OTLP	Native OTLP
Logs	Yes	Yes
Traces	Yes	Yes (via OTLP)
Metrics	Yes	Roadmap
Alerting	Yes	Yes
Sigma Rules	No	Built-in
Incident Management	No	Built-in
MITRE ATT&CK	No	Built-in
Database	ClickHouse	TimescaleDB
Custom SDKs	OTel only	OTel + Custom
Pricing	Open-source	Open-source

Step 1: Deploy LogWard

See the Deployment Guide for full instructions:

bash

# Clone LogWard
git clone https://github.com/logward-dev/logward.git
cd logward/docker

# Configure
cp .env.example .env
# Edit .env with your settings

# Start
docker compose up -d

# Verify
curl http://localhost:8080/health

Create your organization and project via the UI, then generate an API key.

Step 2: Update OpenTelemetry Endpoint

Since both platforms use OTLP, migration is straightforward - just update the endpoint URL:

Node.js (OpenTelemetry SDK)

Before (SigNoz)

typescript

const logExporter = new OTLPLogExporter({
  url: 'http://signoz:4318/v1/logs',
  headers: {},
});

After (LogWard)

typescript

const logExporter = new OTLPLogExporter({
  url: 'http://logward:8080/api/v1/otlp/logs',
  headers: {
    'X-API-Key': 'lp_your_api_key'
  },
});

Python (OpenTelemetry SDK)

Before (SigNoz)

python

exporter = OTLPLogExporter(
    endpoint="http://signoz:4318/v1/logs",
)

After (LogWard)

python

exporter = OTLPLogExporter(
    endpoint="http://logward:8080/api/v1/otlp/logs",
    headers={"X-API-Key": "lp_your_api_key"},
)

OpenTelemetry Collector

If you're using the OTel Collector, update the exporter configuration:

Before (SigNoz)

yaml

exporters:
  otlp:
    endpoint: signoz-otel-collector:4317
    tls:
      insecure: true

service:
  pipelines:
    logs:
      exporters: [otlp]

After (LogWard)

yaml

exporters:
  otlphttp/logward:
    endpoint: http://logward:8080
    headers:
      X-API-Key: lp_your_api_key

service:
  pipelines:
    logs:
      exporters: [otlphttp/logward]

Step 3: Migrate Alerts

SigNoz and LogWard have similar alert concepts. Convert your alert rules:

SigNoz Alert

yaml

name: High Error Rate
description: Errors exceeded threshold
severity: critical
rule:
  type: log_based
  query: level = "error"
  threshold: 100
  duration: 5m
notification:
  channels:
    - email
    - slack

LogWard Alert Rule

json

{
  "name": "High Error Rate",
  "enabled": true,
  "level": ["error"],
  "threshold": 100,
  "timeWindow": 5,
  "emailRecipients": [
    "team@example.com"
  ],
  "webhookUrl": "https://hooks.slack.com/..."
}

Step 4: Enable Security Features

LogWard's key advantage over SigNoz is built-in security capabilities:

Enable Sigma Detection

1 Navigate to /dashboard/security/sigma
2 Import Sigma rules from YAML or sync from SigmaHQ
3 Enable rules for your log sources
4 Configure alert notifications for detections

Example Sigma rule for detecting suspicious activity:

yaml

title: Multiple Failed Login Attempts
status: stable
level: medium
logsource:
    category: authentication
    product: custom
detection:
    selection:
        message|contains: "login failed"
    timeframe: 5m
    condition: selection | count() > 10
tags:
    - attack.credential_access
    - attack.t1110

Concept Mapping

SigNoz Term	LogWard Equivalent	Notes
Service	Service	1:1 mapping (from OTel resource)
Trace	trace_id	Indexed for correlation
Span	span_id	Indexed for correlation
Log attributes	metadata	Stored as JSON
Alert	Alert Rule	Similar configuration
Dashboard	SIEM Dashboard	Security-focused
N/A	Sigma Rules	LogWard exclusive
N/A	Incidents	LogWard exclusive

Common Issues

OTLP endpoint format

SigNoz uses standard OTLP port 4317/4318. LogWard uses /api/v1/otlp/logs on the main API port (8080). Update your endpoint URLs accordingly.

Authentication required

Unlike SigNoz, LogWard requires an API key. Add X-API-Key header to all OTLP requests. The API key is project-scoped and starts with lp_.

Missing metrics support

LogWard currently focuses on logs. Metrics support is on the roadmap. Continue using your existing metrics solution (Prometheus, etc.) alongside LogWard.

Next Steps

OpenTelemetry Integration

API Reference

Custom SDKs (Node.js, Python, etc.)