grith.aidocs

SIEM integration

enterprise

Stream grith audit events to Splunk, Elastic, Sentinel, Datadog, or a generic HTTP target.

Enterprise

Stream grith's audit events to your SIEM in real time. Each device pushes to the SIEM directly (no central aggregator), with consistent shapes and signed metadata.

Supported SIEMs (native)

  • Splunk — via HEC (HTTP Event Collector).
  • Elastic — via the standard ECS schema, Elasticsearch direct or via Logstash.
  • Microsoft Sentinel — via the Log Ingestion API or a Logic App.
  • Datadog — via the Logs API.
  • Sumo Logic — via HTTP source.
  • Generic webhook — any HTTP endpoint that accepts JSON.

Splunk example

[siem.splunk]
enabled = true
hec_url = "https://splunk.acme.com:8088/services/collector"
hec_token = "..."
index = "grith"
sourcetype = "grith:audit"
batch_size = 100
batch_window_seconds = 5

Each event becomes a Splunk event with the audit record as _raw plus indexed fields.

Elastic example

[siem.elastic]
enabled = true
endpoint = "https://elastic.acme.com:9200"
index = "grith-audit-{YYYY.MM}"
api_key = "..."
ecs_compliant = true

ecs_compliant = true reshapes the events to Elastic Common Schema (@timestamp, event.*, user.*, etc.) for compatibility with built-in Kibana dashboards.

Generic webhook

For any HTTP target:

[siem.generic]
enabled = true
url = "https://siem.acme.com/ingest"
method = "POST"
headers = { "Authorization" = "Bearer ..." }
batch_size = 50
hmac_secret = "..."          # signs each batch with X-Grith-Signature

Event shape (default)

{
  "id": "uuid-...",
  "ts": "2026-05-14T09:14:23Z",
  "session": "abc12345-...",
  "host": "devmachine-42",
  "user": "alice@acme.com",
  "team": "acme-eng",
  "operation": "file_read",
  "target": "/home/alice/.ssh/config",
  "decision": "queue",
  "resolved": "deny",
  "composite_score": 4.2,
  "filters": [...],
  "profile": "claude-code",
  "pid": 17421,
  "command": "claude"
}

For SIEMs that prefer specific schemas (CEF, LEEF, ECS), the format = "cef" | "leef" | "ecs" option transforms before send.

Retry & buffering

If the SIEM is unreachable:

  • Events buffer locally up to siem.buffer_max_bytes (default 100MB).
  • Buffer flushes on reconnect.
  • On overflow, the oldest events are dropped (configurable: on_overflow = "drop-oldest" | "drop-newest" | "fail-open" | "fail-closed").

fail-closed means grith stops accepting agent operations if it can't deliver to the SIEM. Use only when the SIEM availability is part of your control posture.

Per-event filtering

Reduce SIEM volume by filtering before send:

[siem.splunk]
include_events = ["queue", "deny"]    # drop auto-allow events
exclude_filters = ["behavioural"]      # don't send behavioural-only quarantines

See also

PreviousCompliance reportingNextAir-gapped deployment
Last updated: 2026-05-14Edit this page on GitHub →
© 2026 grith. All rights reserved.