SIEM integration
Outbound log forwarding from Arbiter to the SIEM platforms our customers use. One target per stream; create multiple targets to ship more than one stream.
What you can ship
Six event streams are available today on every supported platform. Each Arbiter SIEM target ships exactly one stream; create one target per stream to ship more than one.
| Stream | Purpose | Default cadence | Default rate cap |
|---|---|---|---|
| Security events | Rule-based detections (SOC alerting and triage) | Real-time (10 s) | 1,000 / h |
| Auth log rejects | Failed authentication attempts (forensics, compliance) | Every minute | 10,000 / h |
| Auth log (all) | Permits and rejects, full RADIUS verdict feed | Every minute | 30,000 / h |
| Accounting events | Acct-Start / Stop / Interim with session lifetime, bytes | Every minute | 20,000 / h |
| Audit log | Operator actions (policy edits, RBAC, settings touches) | Hourly | 1,000 / h |
| Endpoints snapshot | Full device inventory (asset-management overlay) | Daily | None (bounded by table size) |
Append-only. A tick only fires if there is something new since the last successful tick (per-stream cursor on the Arbiter side). Endpoints snapshot is the exception by design: it emits the current inventory once per cadence window.
Cadence and rate cap are per-target and editable.Defaults are sized for an SME tenant (50 to 2,000 endpoints). Raise the cap if your downstream SIEM subscription is sized for more; dial cadence down if you'd rather batch than stream. When a cap hits, forwarding pauses for the rest of the rolling hour and a warning surfaces on the target row.
Don't see your SIEM?
Arbiter also supports Elastic, Syslog over TLS and a generic HTTPS webhook for platforms like Datadog and New Relic. Guides for those are on the way. If you need one now, email support@arbiter.ie and we can confirm the payload shape your platform expects.