SIEM Integration
Forward audit logs to Splunk, Datadog, or webhooks for enhanced security monitoring.
Overview
SIEM (Security Information and Event Management) integration forwards Nefia audit logs in real time to external security monitoring platforms. It achieves high throughput through batch processing and asynchronous delivery while ensuring reliability with retry logic.
Supported Forwarders
| Type | Service | Authentication |
|---|---|---|
splunk | Splunk HTTP Event Collector (HEC) | Splunk <token> header |
datadog | Datadog Log Intake API v2 | DD-API-KEY header |
webhook | Generic HTTP endpoint | Bearer token + HMAC-SHA256 |
Configuration
audit:
siem:
type: splunk
endpoint: "https://splunk.example.com:8088/services/collector"
token_env: "SPLUNK_HEC_TOKEN"
batch_size: 100
flush_interval: "5s"
source: "nefia"
source_type: "_json"
index: "security"Payload format:
{"time": 1709000000, "source": "nefia", "sourcetype": "_json", "index": "security", "event": {...}}Configuration Options
| Field | Type | Default | Description |
|---|---|---|---|
type | string | — | splunk, datadog, webhook (required) |
endpoint | string | — | Destination URL (required for splunk/webhook) |
token_env | string | — | Environment variable name for the authentication token (required) |
webhook_secret_env | string | — | Environment variable name for the HMAC signing key (webhook only) |
batch_size | int | 100 | Maximum number of records per batch (max 10,000) |
flush_interval | string | "5s" | Flush interval |
source | string | "nefia" | Source identifier (Splunk) |
source_type | string | "_json" | Splunk source type |
index | string | — | Splunk index name |
service | string | — | Datadog service tag |
tags | []string | — | Datadog tags |
Delivery Mechanism
Batch Processing
Records are added to a queue asynchronously. A batch is sent when the buffer reaches batch_size or when flush_interval elapses.
Retries
Failed sends are retried with exponential backoff:
- Initial interval: 1 second
- Maximum interval: 30 seconds
- Maximum retries: 3
Network Requirements
- TLS 1.2 or higher
- HTTP timeout: 30 seconds
Security Considerations
- Authentication tokens are passed via environment variables (not written directly in the configuration file)
- Webhooks can verify payload integrity using HMAC-SHA256
- TLS 1.2+ is enforced to ensure secure communication
- Each outgoing payload batch is limited to 1 MB (
MaxWebhookPayloadBytes). Batches exceeding this limit are rejected to prevent memory exhaustion
SSRF Prevention
All SIEM endpoint URLs are validated to prevent Server-Side Request Forgery (SSRF) attacks. This protects against an attacker configuring a SIEM endpoint that targets internal services.
URL scheme validation:
- Only
https://andhttp://schemes are allowed. Other schemes (e.g.,file://,ftp://) are rejected.
DNS resolution validation:
- Hostnames are resolved at configuration time and checked against blocked IP ranges.
- The resolved IP is re-validated at connection time (
DialContext) to prevent DNS rebinding attacks where a hostname resolves to a safe address during validation but a private address at connection time.
Blocked address ranges:
| Range | Description |
|---|---|
127.0.0.0/8 | Loopback |
10.0.0.0/8 | Private (RFC 1918) |
172.16.0.0/12 | Private (RFC 1918) |
192.168.0.0/16 | Private (RFC 1918) |
| Link-local | 169.254.0.0/16 and fe80::/10 |
| Multicast | 224.0.0.0/4 and ff00::/8 |
| Unspecified | 0.0.0.0 and :: |