SIEM integration

SIEM integration

Outbound log forwarding from Arbiter to the SIEM platforms our customers use. One target per stream; create multiple targets to ship more than one stream.

What you can ship

Six event streams are available today on every supported platform. Each Arbiter SIEM target ships exactly one stream; create one target per stream to ship more than one.

StreamPurposeDefault cadenceDefault rate cap
Security eventsRule-based detections (SOC alerting and triage)Real-time (10 s)1,000 / h
Auth log rejectsFailed authentication attempts (forensics, compliance)Every minute10,000 / h
Auth log (all)Permits and rejects, full RADIUS verdict feedEvery minute30,000 / h
Accounting eventsAcct-Start / Stop / Interim with session lifetime, bytesEvery minute20,000 / h
Audit logOperator actions (policy edits, RBAC, settings touches)Hourly1,000 / h
Endpoints snapshotFull device inventory (asset-management overlay)DailyNone (bounded by table size)

Append-only. A tick only fires if there is something new since the last successful tick (per-stream cursor on the Arbiter side). Endpoints snapshot is the exception by design: it emits the current inventory once per cadence window.

Cadence and rate cap are per-target and editable.Defaults are sized for an SME tenant (50 to 2,000 endpoints). Raise the cap if your downstream SIEM subscription is sized for more; dial cadence down if you'd rather batch than stream. When a cap hits, forwarding pauses for the rest of the rolling hour and a warning surfaces on the target row.

Don't see your SIEM?

Arbiter also supports Elastic, Syslog over TLS and a generic HTTPS webhook for platforms like Datadog and New Relic. Guides for those are on the way. If you need one now, email support@arbiter.ie and we can confirm the payload shape your platform expects.

All guides