> ## Documentation Index
> Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
> Use this file to discover all available pages before exploring further.
# SIEM integration
> Stream audit log events in real time to your SIEM or log management platform.
Stream every audit event to your security information and event management (SIEM) system as it happens. Events flow alongside the standard in-platform audit log so you can use your existing alerting rules, dashboards, and retention infrastructure without gaps.
SIEM streaming requires the **Enterprise** tier. Contact sales if you need to upgrade.
## How it works
When you create a SIEM destination, the platform begins forwarding every [audit event](/security/audit) to your endpoint in real time. Events are delivered as JSON over HTTPS. If your destination is unreachable, events are buffered and retried with exponential backoff for up to 24 hours.
Each destination has a `status` field that reflects delivery health:
| Status | Meaning |
| :--------- | :------------------------------------------------------------------------- |
| `active` | Events are streaming normally |
| `degraded` | Delivery is failing — events are being buffered and retried |
| `failed` | Retries exhausted. Events were dropped. Fix the destination and re-enable. |
## Supported providers
| Provider | Transport | Auth field |
| :----------------- | :------------------------- | :------------------------------------ |
| **Splunk** | HTTP Event Collector (HEC) | `token` |
| **Datadog** | Log Management API | `token` |
| **AWS CloudWatch** | Logs subscription | `access_key_id` + `secret_access_key` |
| **Elastic / ELK** | Elasticsearch ingest | `token` |
| **Custom webhook** | HTTP POST | `secret` |
All providers receive events in JSON format.
## Setting up a destination
You can configure SIEM destinations from the console or via the API.
### From the console
1. Go to **Settings > Audit > SIEM** in the console sidebar
2. Click **Add destination**
3. Select a provider and enter the endpoint URL and credentials
4. Toggle **Enabled** and save
### Via the API
Send a `POST` request to `/v1/audit/siem` with your provider, endpoint, and credentials.
```bash cURL theme={null}
curl -X POST https://api.truthlocks.com/v1/audit/siem \
-H "X-API-Key: tl_live_..." \
-H "Content-Type: application/json" \
-d '{
"provider": "splunk",
"endpoint": "https://hec.splunk.example.com:8088/services/collector",
"token": "your-hec-token",
"enabled": true
}'
```
```typescript create-siem.ts theme={null}
const destination = await fetch("https://api.truthlocks.com/v1/audit/siem", {
method: "POST",
headers: {
"X-API-Key": "tl_live_...",
"Content-Type": "application/json",
},
body: JSON.stringify({
provider: "splunk",
endpoint: "https://hec.splunk.example.com:8088/services/collector",
token: "your-hec-token",
enabled: true,
}),
});
const { id, status } = await destination.json();
console.log(`Destination ${id}: ${status}`);
```
```python create_siem.py theme={null}
import httpx
resp = httpx.post(
"https://api.truthlocks.com/v1/audit/siem",
headers={"X-API-Key": "tl_live_..."},
json={
"provider": "splunk",
"endpoint": "https://hec.splunk.example.com:8088/services/collector",
"token": "your-hec-token",
"enabled": True,
},
)
dest = resp.json()
print(f"Destination {dest['id']}: {dest['status']}")
```
```go create_siem.go theme={null}
// Use the standard net/http client or your preferred HTTP library
body := `{
"provider": "splunk",
"endpoint": "https://hec.splunk.example.com:8088/services/collector",
"token": "your-hec-token",
"enabled": true
}`
req, _ := http.NewRequest("POST", "https://api.truthlocks.com/v1/audit/siem",
strings.NewReader(body))
req.Header.Set("X-API-Key", "tl_live_...")
req.Header.Set("Content-Type", "application/json")
resp, err := http.DefaultClient.Do(req)
```
The response includes the destination ID and initial status:
```json theme={null}
{
"id": "siem_abc123",
"provider": "splunk",
"endpoint": "https://hec.splunk.example.com:8088/services/collector",
"enabled": true,
"created_at": "2026-06-30T12:00:00Z",
"status": "active"
}
```
List your destinations to confirm the status is `active`:
```bash theme={null}
curl https://api.truthlocks.com/v1/audit/siem \
-H "X-API-Key: tl_live_..."
```
If the status shows `degraded`, check that your endpoint is reachable and the credentials are correct.
## Provider setup
### Splunk
1. In Splunk, go to **Settings > Data Inputs > HTTP Event Collector**
2. Create a new token with the `main` index
3. Copy the HEC endpoint URL and token
4. Create a destination with `provider: "splunk"` and the HEC URL as `endpoint`
### Datadog
1. In Datadog, go to **Organization Settings > API Keys**
2. Create a new API key
3. Use `https://http-intake.logs.datadoghq.com/api/v2/logs` as the endpoint (or `datadoghq.eu` for EU)
4. Create a destination with `provider: "datadog"` and your API key as `token`
### AWS CloudWatch
1. Create an IAM user with `logs:CreateLogStream` and `logs:PutLogEvents` permissions
2. Note the access key ID and secret access key
3. Use the CloudWatch Logs endpoint for your region as the `endpoint`
4. Create a destination with `provider: "cloudwatch"`, `access_key_id`, and `secret_access_key`
### Elastic / ELK
1. In Kibana, go to **Management > Dev Tools** and create an ingest pipeline
2. Generate an API key with index write permissions
3. Use your Elasticsearch ingest endpoint as `endpoint`
4. Create a destination with `provider: "elastic"` and your API key as `token`
### Custom webhook
1. Set up an HTTPS endpoint that accepts `POST` requests with a JSON body
2. Generate a shared secret for HMAC signature verification
3. Create a destination with `provider: "webhook"`, your URL as `endpoint`, and the shared secret as `secret`
The platform signs each webhook delivery with an HMAC-SHA256 signature in the `X-Truthlocks-Signature` header using your `secret`. Verify this signature to ensure events are authentic.
## Managing destinations
### Update a destination
Change the endpoint, credentials, or enabled state:
```bash theme={null}
curl -X PUT https://api.truthlocks.com/v1/audit/siem/siem_abc123 \
-H "X-API-Key: tl_live_..." \
-H "Content-Type: application/json" \
-d '{
"endpoint": "https://hec-new.splunk.example.com:8088/services/collector",
"token": "your-new-hec-token",
"enabled": true
}'
```
### Delete a destination
Remove a streaming destination. In-flight events are flushed before deletion completes.
```bash theme={null}
curl -X DELETE https://api.truthlocks.com/v1/audit/siem/siem_abc123 \
-H "X-API-Key: tl_live_..."
```
## Event format
Each event streamed to your SIEM matches the [audit event structure](/security/audit#audit-event-structure):
```json theme={null}
{
"id": "evt_abc123",
"timestamp": "2026-06-30T12:34:56.789Z",
"tenant_id": "tenant-uuid",
"actor_type": "USER",
"actor_id": "user-uuid",
"action": "attestation.mint",
"resource_type": "attestation",
"resource_id": "attestation-uuid",
"service": "trust-registry",
"outcome": "SUCCESS",
"metadata": {
"issuer_id": "issuer-uuid",
"subject": "user:12345",
"claim": "email_verified"
},
"integrity_hash": "sha256:abc123..."
}
```
## Troubleshooting
| Symptom | Cause | Fix |
| :------------------- | :------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------ |
| Status is `degraded` | Destination unreachable or returning errors | Check endpoint URL, credentials, and firewall rules |
| Status is `failed` | Retries exhausted after 24 hours | Fix the destination, then update it to re-enable streaming |
| Missing events | Destination was disabled during the gap | Events during a disabled period are not retroactively streamed. Use an [audit export](/api-reference/audit/export) to backfill. |
| Duplicate events | Retry delivered the same event twice | Use the `id` field to deduplicate on your SIEM side |
## Next steps
Query events, configure retention, and export logs.
Export audit data in SOC 2, GDPR, and HIPAA formats.