Event Pipeline, SIEM & Webhooks (Enterprise Edition only)
The Event Pipeline is the central event routing system in AppProfileSafe. Every audit event is wrapped in a canonical ProfileSafeEvent envelope and dispatched to one or more sinks — SIEM (HTTP or Syslog), Webhooks, and the Windows Event Log. The pipeline provides persistent queuing, automatic retry with exponential backoff, per-sink redaction, and dead-letter handling to ensure reliable delivery.
Available Sinks
| Sink ID | Transport | Configuration File | Default Critical |
|---|---|---|---|
siem-http |
HTTPS POST (JSON) | siem.xml |
Yes |
siem-syslog |
UDP Syslog (RFC 5424) | siem.xml |
No (best-effort) |
webhook-primary |
HTTPS POST (JSON) | webhook.xml |
Yes |
eventlog |
Windows Event Log API | eventpipeline.xml (inline) |
No |
Critical sinks determine the overall delivery state. If a critical sink permanently fails, the event is moved to the dead-letter queue. Non-critical sinks are best-effort — their failure does not affect the event's overall status.
Configuration Overview
The pipeline is configured across multiple XML files, each controlling a specific subsystem:
| File | Purpose |
|---|---|
eventpipeline.xml |
Pipeline-level settings: queue folder, retry limits, backoff policy, sink declarations, and paths to subsystem configs |
siem.xml |
SIEM connection (protocol, host, port, TLS, authentication), message format, and event filtering |
webhook.xml |
Webhook endpoints, event filters, custom headers, and per-endpoint timeouts |
redaction.xml |
Redaction policies (Suppress, Hash, PartialMask) and sink-to-policy mappings |
All paths are configured in settings.xml via <EventPipelineConfigPath>. The default location is %ProgramData%\IT-Consulting Kinner\AppProfileSafe\Config.
Event Flow
When an audit event is created, the following sequence occurs:
- The AuditLogService writes the entry to the local audit CSV file.
- The entry is converted to a
ProfileSafeEventenvelope with a deterministic EventId, OperationId, severity, and context. - The event is enqueued to the persistent NDJSON queue (
queue.jsonl). - Per-sink redaction is applied before delivery.
- The event is sent to each active sink. Failures are classified as transient (retry with backoff) or permanent (dead-letter immediately).
- Once all critical sinks succeed (or permanently fail), the event's overall state is updated.
Dispatch is asynchronous (fire-and-forget) to ensure pipeline failures never block the local audit CSV write.
Topics in This Section
- Event Pipeline Architecture — Queue, retry, backoff, failure classification, and dead-letter handling
- Configuring SIEM (HTTP & Syslog) — siem.xml connection, format, authentication, and filtering settings
- Configuring Webhooks — webhook.xml endpoints, event filters, headers, and signature verification
- Windows Event Log Integration — Event source, event IDs, and severity mapping
- Redaction & Data Protection — Per-sink redaction policies (Suppress, Hash, PartialMask)
- Event Delivery Troubleshooting — Diagnosing delivery failures, dead-letter resolution, and queue management