Skip to content

SIEM support#

This documentation applies to Piler enterprise edition 2.1.0

Revision #1

Publication date: 2025-DEC-23

Piler supports exporting audit logs to external SIEM systems (Splunk, Elastic, Graylog, etc.) for centralized security monitoring and compliance.

Add the appropriate configuration to /var/piler/.env file

Syslog#

SIEM_EXPORT_ENABLED=true
SIEM_SYSLOG_HOST=syslog.example.com
SIEM_SYSLOG_PORT=514
SIEM_SYSLOG_PROTOCOL=tcp
SIEM_EXPORT_FORMAT=syslog

Splunk#

SIEM_EXPORT_ENABLED=true
SIEM_OUTPUT=http
SIEM_EXPORT_FORMAT=splunk
SIEM_HTTP_URL=https://inputs.<splunk instance>.splunkcloud.com:8088/services/collector/event
SIEM_HTTP_TOKEN=<your token>
SIEM_HTTP_TLS_SKIP_VERIFY=true

Sumo Logic#

SIEM_EXPORT_ENABLED=true
SIEM_OUTPUT=http
SIEM_EXPORT_FORMAT=sumo
SIEM_HTTP_URL=https://collectors.de.sumologic.com/receiver/v1/http/<your key>
SIEM_HTTP_SOURCE_CATEGORY=siem/piler/audit