SIEM Forwarding

SOC analysts want audit data in their existing tooling — Splunk, ArcSight, Sentinel, QRadar, Elastic. The SIEM subsystem extends the canonical AuditSink trait with four production forwarders and a MultiSink fan-out so the same event lands in your durable Postgres store and every SIEM you care about.

Fan-out architecture

The data plane writes once into AuditWriter, which holds a single MultiSink. Each child sink's failures are isolated — a Splunk outage cannot back up the Postgres durability path or starve other forwarders.

graph LR DP["Data plane"] --> AW["AuditWriter"] AW --> MS["MultiSink"] MS --> PG["Postgres (durable)"] MS --> SY["Syslog (RFC 5424 / CEF)"] MS --> SP["Splunk HEC"] MS --> OT["OTLP / OpenTelemetry"] SP --> SPK["Splunk indexer"] OT --> COL["OTel Collector → Elastic / Sentinel"]

Forwarders

Sink	Wire format	Transport	Common target
SyslogSink (RFC 5424)	IETF syslog + JSON MSG	UDP / TCP / TLS	rsyslog, syslog-ng, QRadar
SyslogSink (CEF)	ArcSight CEF k=v	UDP / TCP / TLS	Micro Focus ArcSight
SplunkHecSink	JSON event objects	HTTPS POST	Splunk Enterprise / Cloud
OtlpAuditSink	OTLP/HTTP logs (resourceLogs)	HTTPS POST	OTel Collector → anything

Severity mapping (OTLP)

OTLP severity numbers come from the spec, not from us. AuditOutcome is mapped at sink time:

AuditOutcome	OTel severity number	OTel severity text
Allowed	9	INFO
Denied	13	WARN
Errored	17	ERROR

Configuration

SIEM endpoints are configured as a list in tetrapus-server's config file or environment. build_sink(&cfg) handles initial connection and TLS handshakes; failures during boot are loud, not silent.

YAML tetrapus.yaml — siem section

siem:
  sinks:
    - kind: syslog
      address: "10.10.5.20:6514"
      transport: { tls: { sni: "siem.example.com" } }
      format: rfc5424
      facility: 16
      app_name: tetrapus
    - kind: splunk_hec
      endpoint: "https://splunk.example.com:8088/services/collector/event"
      token_env: SPLUNK_HEC_TOKEN
      index: tetrapus_audit
      sourcetype: "tetrapus:audit"
      verify_tls: true
    - kind: otlp
      endpoint: "https://otel.example.com:4318/v1/logs"
      service_name: tetrapus-server
      headers:
        - ["X-API-Key", "$OTEL_API_KEY"]

Bash Environment variables

SPLUNK_HEC_TOKEN=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OTEL_API_KEY=xxxxxxxx
SIEM_TLS_CA_FILE=/etc/tetrapus/siem-ca.pem

Sample dashboards

A starter dashboard for each platform ships under deploy/siem/. The fields they index are the standard AuditEvent shape: seq, org_id, principal_id, action, outcome, resource, prev_hash, this_hash.

Splunk — denied-actions-by-principal, audit-chain-gaps, p99 sink latency
Elastic / Kibana — same panels via the OTLP path through the OTel Collector
Sentinel — KQL workbook with the same field set

– Audit Trail — canonical AuditEvent shape
– Audit Attestation — proving the chain hasn't been tampered
– Back to Enterprise

Questions?

Reach out for help with integration, deployment, or custom domain codecs.

Get Started Request a Demo