Forward nSelf audit events, security alerts, and plugin logs to your existing SIEM platform. Supports Splunk HEC, Datadog Log API, Elastic Common Schema (ECS), and generic syslog (RFC 5424). Events are enriched with source plugin, tenant ID, and severity before forwarding.
nself plugin install siem
nself build
nself startSIEM_PROVIDER=splunk
SIEM_SPLUNK_HEC_URL=https://splunk.yourco.com:8088/services/collector
SIEM_SPLUNK_HEC_TOKEN=your-hec-token
SIEM_SPLUNK_INDEX=nself-eventsSIEM_PROVIDER=datadog
SIEM_DATADOG_API_KEY=your-datadog-api-key
SIEM_DATADOG_SITE=datadoghq.com
SIEM_DATADOG_SERVICE=nselfSIEM_PROVIDER=elastic
SIEM_ELASTIC_URL=https://elastic.yourco.com:9200
SIEM_ELASTIC_API_KEY=your-elastic-api-key
SIEM_ELASTIC_INDEX=nself-events| Variable | Required | Description |
|---|---|---|
SIEM_PROVIDER | Yes | Target SIEM: splunk, datadog, elastic, syslog |
SIEM_SEVERITY_MIN | No | Minimum severity to forward: info, warn, error, critical |
SIEM_BATCH_SIZE | No | Events to batch before sending (default: 100) |
SIEM_FLUSH_INTERVAL_SECONDS | No | Maximum seconds between flushes even if batch is not full (default: 10) |
SIEM_SOURCES | No | Comma-separated list of event sources to forward (default: all) |
By default the plugin forwards events from: nself-audit (all mutations and admin actions), auth-enterprise (MFA and SSO events), pentest (high-severity findings), and nSelf core (CLI commands run against production). Set SIEM_SOURCES to restrict forwarding to specific sources.
| Endpoint | Method | Description |
|---|---|---|
/siem/status | GET | Connection status, last flush time, and event counts |
/siem/test | POST | Send a test event to verify connectivity |
/siem/flush | POST | Force an immediate flush of the pending event buffer |
Pro Plugin — ɳSelf+ | v1.0.0