Skip to main content
Stream every audit event to your security information and event management (SIEM) system as it happens. Events flow alongside the standard in-platform audit log so you can use your existing alerting rules, dashboards, and retention infrastructure without gaps.
SIEM streaming requires the Enterprise tier. Contact sales if you need to upgrade.

How it works

When you create a SIEM destination, the platform begins forwarding every audit event to your endpoint in real time. Events are delivered as JSON over HTTPS. If your destination is unreachable, events are buffered and retried with exponential backoff for up to 24 hours. Each destination has a status field that reflects delivery health:
StatusMeaning
activeEvents are streaming normally
degradedDelivery is failing — events are being buffered and retried
failedRetries exhausted. Events were dropped. Fix the destination and re-enable.

Supported providers

ProviderTransportAuth field
SplunkHTTP Event Collector (HEC)token
DatadogLog Management APItoken
AWS CloudWatchLogs subscriptionaccess_key_id + secret_access_key
Elastic / ELKElasticsearch ingesttoken
Custom webhookHTTP POSTsecret
All providers receive events in JSON format.

Setting up a destination

You can configure SIEM destinations from the console or via the API.

From the console

  1. Go to Settings > Audit > SIEM in the console sidebar
  2. Click Add destination
  3. Select a provider and enter the endpoint URL and credentials
  4. Toggle Enabled and save

Via the API

1

Create a destination

Send a POST request to /v1/audit/siem with your provider, endpoint, and credentials.
curl -X POST https://api.truthlocks.com/v1/audit/siem \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "splunk",
    "endpoint": "https://hec.splunk.example.com:8088/services/collector",
    "token": "your-hec-token",
    "enabled": true
  }'
The response includes the destination ID and initial status:
{
  "id": "siem_abc123",
  "provider": "splunk",
  "endpoint": "https://hec.splunk.example.com:8088/services/collector",
  "enabled": true,
  "created_at": "2026-06-30T12:00:00Z",
  "status": "active"
}
2

Verify delivery

List your destinations to confirm the status is active:
curl https://api.truthlocks.com/v1/audit/siem \
  -H "X-API-Key: tl_live_..."
If the status shows degraded, check that your endpoint is reachable and the credentials are correct.

Provider setup

Splunk

  1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector
  2. Create a new token with the main index
  3. Copy the HEC endpoint URL and token
  4. Create a destination with provider: "splunk" and the HEC URL as endpoint

Datadog

  1. In Datadog, go to Organization Settings > API Keys
  2. Create a new API key
  3. Use https://http-intake.logs.datadoghq.com/api/v2/logs as the endpoint (or datadoghq.eu for EU)
  4. Create a destination with provider: "datadog" and your API key as token

AWS CloudWatch

  1. Create an IAM user with logs:CreateLogStream and logs:PutLogEvents permissions
  2. Note the access key ID and secret access key
  3. Use the CloudWatch Logs endpoint for your region as the endpoint
  4. Create a destination with provider: "cloudwatch", access_key_id, and secret_access_key

Elastic / ELK

  1. In Kibana, go to Management > Dev Tools and create an ingest pipeline
  2. Generate an API key with index write permissions
  3. Use your Elasticsearch ingest endpoint as endpoint
  4. Create a destination with provider: "elastic" and your API key as token

Custom webhook

  1. Set up an HTTPS endpoint that accepts POST requests with a JSON body
  2. Generate a shared secret for HMAC signature verification
  3. Create a destination with provider: "webhook", your URL as endpoint, and the shared secret as secret
The platform signs each webhook delivery with an HMAC-SHA256 signature in the X-Truthlocks-Signature header using your secret. Verify this signature to ensure events are authentic.

Managing destinations

Update a destination

Change the endpoint, credentials, or enabled state: 
curl -X PUT https://api.truthlocks.com/v1/audit/siem/siem_abc123 \
  -H "X-API-Key: tl_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "endpoint": "https://hec-new.splunk.example.com:8088/services/collector",
    "token": "your-new-hec-token",
    "enabled": true
  }'

Delete a destination

Remove a streaming destination. In-flight events are flushed before deletion completes. 
curl -X DELETE https://api.truthlocks.com/v1/audit/siem/siem_abc123 \
  -H "X-API-Key: tl_live_..."

Event format

Each event streamed to your SIEM matches the audit event structure: 
{
  "id": "evt_abc123",
  "timestamp": "2026-06-30T12:34:56.789Z",
  "tenant_id": "tenant-uuid",
  "actor_type": "USER",
  "actor_id": "user-uuid",
  "action": "attestation.mint",
  "resource_type": "attestation",
  "resource_id": "attestation-uuid",
  "service": "trust-registry",
  "outcome": "SUCCESS",
  "metadata": {
    "issuer_id": "issuer-uuid",
    "subject": "user:12345",
    "claim": "email_verified"
  },
  "integrity_hash": "sha256:abc123..."
}

Troubleshooting

SymptomCauseFix
Status is degradedDestination unreachable or returning errorsCheck endpoint URL, credentials, and firewall rules
Status is failedRetries exhausted after 24 hoursFix the destination, then update it to re-enable streaming
Missing eventsDestination was disabled during the gapEvents during a disabled period are not retroactively streamed. Use an audit export to backfill.
Duplicate eventsRetry delivered the same event twiceUse the id field to deduplicate on your SIEM side

Next steps

Audit logs

Query events, configure retention, and export logs.

Compliance exports

Export audit data in SOC 2, GDPR, and HIPAA formats.