Configuring SIEM (HTTP & Syslog)
SIEM forwarding sends audit events to a Security Information and Event Management system. AppProfileSafe supports two transport modes: HTTP/HTTPS (JSON POST) and Syslog UDP (RFC 5424). Configuration is stored in siem.xml.
Connection Settings
The <Connection> element in siem.xml controls transport and authentication:
| Setting | Description | Default |
|---|---|---|
Active |
Global enable/disable switch for SIEM forwarding | false |
Protocol |
HTTP, HTTPS, SyslogUdp, SyslogTcp, TCP, UDP |
SyslogUdp |
Host |
SIEM server hostname or IP | localhost |
Port |
Target port | 514 |
EndpointUrl |
Full URL including path (e.g. https://splunk:8088/services/collector). Takes precedence over Host:Port. |
— |
UseTls |
Enable TLS/SSL (for TCP and HTTP) | false |
ValidateCertificate |
Validate server certificate | true |
TimeoutSeconds |
Connection timeout per request | 5 |
RetryAttempts |
Per-connection retry count (separate from pipeline-level retries) | 3 |
Authentication (HTTP/HTTPS)
For HTTP-based SIEM endpoints, use one of the following authentication methods:
| Method | XML Element | Credential Store Reference |
|---|---|---|
| API Key | <ApiKey> |
<ApiKeyCredRef> |
| Bearer Token | <BearerToken> |
<BearerTokenCredRef> |
| Basic (User/Pass) | <Username> + <Password> |
<PasswordCredRef> |
Recommended: Use CredRef elements to store secrets in Windows Credential Manager instead of inline plaintext values. The AuthScheme element controls authentication header construction: Auto (default, heuristic), Bearer, Basic, ApiKey, Splunk, or None. Use AuthHeaderName for custom API key headers (e.g. DD-API-KEY).
Message Format
The <Format> element controls how events are serialized:
| Setting | Description | Default |
|---|---|---|
MessageFormat |
CEF, LEEF, JSON, Syslog, CSV |
CEF |
SyslogFacility |
Syslog facility number (0–23) | 16 (local0) |
SyslogSeverity |
Base Syslog severity (overridden per-event by actual severity) | Informational |
ApplicationName |
Application identifier in SIEM messages | AppProfileSafe |
CustomFields |
Additional key-value pairs for SIEM correlation (e.g. Environment=Production) |
— |
Event Filtering
The optional <Filtering> element controls which events are forwarded to the SIEM:
<Filtering>
<OnlyFailures>false</OnlyFailures>
<MinimumSeverity>Info</MinimumSeverity>
<IncludeActions>
<Action>ExportCompleted</Action>
<Action>ImportCompleted</Action>
</IncludeActions>
<ExcludeActions>
<Action>ExportStarted</Action>
</ExcludeActions>
</Filtering>| Setting | Description |
|---|---|
OnlyFailures |
When true, only forward events where Success = false |
MinimumSeverity |
Minimum severity level: Info, Warning, Error, Critical |
IncludeActions |
Whitelist of action names to forward (if set, only these are sent) |
ExcludeActions |
Blacklist of action names to suppress |
HTTP vs. Syslog
Both transports use the same siem.xml configuration — the Protocol value determines which sink is activated:
| Property | siem-http | siem-syslog |
|---|---|---|
| Activated when | Protocol = HTTP (or HTTPS) |
Any other protocol value |
| Transport | HTTPS POST with JSON body | UDP datagram (RFC 5424) |
| Headers sent | X-Event-Id, X-Operation-Id, auth headers |
— |
| Critical by default | Yes (delivery tracked, retried) | No (best-effort, UDP has no acknowledgement) |
Connection Test
AppProfileSafe tests the SIEM connection on startup. The test validates that the configured host and port are reachable using the appropriate transport (TCP socket connect, UDP send, or HTTP request). If the SIEM is active but unreachable, the application logs a warning. The connection test is skipped when <Active>false</Active>.