SIEM Forwarding
Enterprise
Your security events,
already in your SIEM.
Every SSH login, policy violation, AI detection, attack-mode trigger, and alert from HostAtlas streams to your Splunk, Datadog, Sentinel, Elastic, or any JSON webhook — in real time. 5 formats, 4 transports, fire-and-forget queued delivery with retry. No pull, no polling, no extra agents.
5
Output formats
4
Transports
3×
Retry on failure
0ms
Blocking send
Works with your stack
Every major SIEM, out of the box.
Five output formats cover the entire enterprise SIEM landscape. Pick what your team already uses.
Format
Generic JSON
Fits any webhook-aware system: Datadog Logs, Generic HTTP endpoints, custom ingestion pipelines.
Transport: HTTP / HTTPS
Format
Syslog RFC5424
The industry standard. Splunk, Graylog, Syslog-ng, rsyslog, LogRhythm — they all speak it.
Transport: TCP, TCP+TLS, UDP
Format
CEF
ArcSight, Splunk Enterprise Security, and most enterprise SIEMs expect Common Event Format.
Transport: TCP, TLS, UDP, HTTP
Format
Elastic Common Schema
Pre-shaped for Elastic / OpenSearch. Drops straight into Kibana dashboards with no field mapping.
Transport: HTTP (Elasticsearch API)
Format
Azure Sentinel
Signed HMAC for the HTTP Data Collector API. Workspace ID + shared key, we handle the rest.
Transport: HTTPS only
Coming soon
Cribl Stream, Grafana Loki
Purpose-built adapters for modern observability pipelines. Already work via generic JSON.
Dedicated format on request
Every event
Not just log lines. Semantic events.
HostAtlas forwards structured events with full context — not raw logs that need parsing. Your SIEM gets "SSH login from unknown IP on prod server", not a syslog line someone has to regex.
ssh.session.start
Every SSH login through Gatekeeper
ssh.break_glass
Bypass-Gatekeeper login detected
policy.violation.new
Continuous compliance rule failed
policy.violation.resolved
Violation auto-resolved
ai.detected
Unauthorized AI component found
mcp.tools.new
New MCP tool appeared (injection?)
attack.mode.activated
Auto-trigger fired under attack
incident.created
New incident opened
alert.triggered
Metric alert fired
deploy
Deployment logged
ransomware.detected
Entropy analysis flagged backup
+ 20 more
Full event catalog
Filter with glob patterns (ssh.*, ai.*, *) per forwarder. Route different event types to different destinations.
Reliability
Your SIEM can go down. HostAtlas won't blink.
All event delivery happens via queued jobs with 3-attempt retry and 60-second backoff. If your SIEM endpoint is unreachable, events stay in the queue until it recovers. Your HostAtlas UI stays snappy, your alerts still fire, your agent never blocks on SIEM I/O.
- forward Fire-and-forget pattern — producer never blocks on delivery
- refresh 3 retries with exponential backoff per event
- visibility Live stats per forwarder (sent / failed / last error)
- bug_report One-click test event to verify endpoint + credentials
{
"timestamp": "2026-04-20T14:23:17Z",
"source": "hostatlas",
"event_type": "ssh.session.start",
"payload": {
"ssh_user": "root",
"source_ip": "203.0.113.42",
"cert_key_id": "tenant:1|server:2|req:7",
"principal": "hostatlas-access",
"server": "web-prod-01",
"is_break_glass": false
}
}
Get started
Ship every security event to your SIEM today.
SIEM Forwarding is available on Enterprise plans. Add a forwarder in under two minutes, test-send a sample event, pick which event types to route where, and start seeing HostAtlas data in your Splunk/Datadog/Sentinel/Elastic dashboards immediately. No extra agents, no polling, no configuration on the SIEM side beyond standard HEC or HTTP endpoint setup.