Skip to content

SIEM Sync (Real-time Log Forwarding)

Volidator allows you to forward real-time, end-to-end encrypted audit logs directly to your security information and event management (SIEM) telemetry pipelines.

Because Volidator enforces Zero-Knowledge storage, logs are forwarded to SIEM endpoints in their encrypted ciphertext format. Decryption and validation happen at your perimeter ingestion layer.


Currently, Volidator supports native outbound edge integrations for:

  • Datadog Logs API: Send log arrays to Datadog’s HTTP intake endpoints.
  • Splunk HTTP Event Collector (HEC): Stream event streams directly to Splunk HEC.

For maximum security, your SIEM credentials (like your Datadog API Key or Splunk HEC token) are never stored in plaintext by Volidator.

When you input keys in the Volidator settings dashboard, your browser retrieves the project public key and encrypts the credentials using RSA-4096 locally. They are decrypted only in volatile memory during active log forwarding at the edge.


To set up SIEM forwarding:

  1. Navigate to the project settings page on the Volidator dashboard.
  2. Select your Integration Platform.
  3. Enter your SIEM Ingress Endpoint URL (e.g., https://http-intake.logs.datadoghq.com/api/v2/logs for Datadog).
  4. Enter your token or API key.
  5. Click Enable Forwarding.

To prevent injection and spoofing attacks, Volidator attaches a cryptographic signature header X-Volidator-Signature to all outbound SIEM posts.

The header uses a per-project HMAC-SHA-256 signing secret generated in your browser when configuring the channel.

The signature header is formatted as:

X-Volidator-Signature: t=1782714615,v1=912b3a0feec6ab370132c82...
  • t is the Unix timestamp (for clock-skew replay protection).
  • v1 is the computed HMAC signature of t concatenated with the raw post body (t.body).

To decrypt payloads and verify signatures before they reach your internal indices, you can configure a perimeter Vector layer. Below is a sample VRL (Vector Remap Language) configuration to perform this check:

# 1. Verify X-Volidator-Signature header to validate authenticity
signature_header = .headers["x-volidator-signature"] ?? ""
parts, err = parse_key_value(signature_header, delimiter: ",", pair_delimiter: "=")
if err == null && exists(parts.t) && exists(parts.v1) {
# Clock-Skew Replay Protection (Enforce max 5-minute skew)
current_time = to_unix_timestamp(now())
skew = abs(current_time - to_integer!(parts.t))
if skew > 300 {
abort("Replay attack detected: clock skew exceeds 300 seconds")
}
# Hex-decode your secret key and verify HMAC-SHA-256
signing_key = decode_hex!(env("VOLIDATOR_SIGNING_SECRET"))
expected_sig = hmac_sha256(parts.t + "." + .raw_body, signing_key)
if expected_sig != parts.v1 {
abort("Invalid payload signature: verification failed")
}
} else {
abort("Missing or malformed X-Volidator-Signature header")
}
# 2. Decrypt AES-256-GCM log payload using your vault key
decrypted, err = decrypt_aes_gcm(.encryptedPayload, key: env("VOLIDATOR_ENCRYPTION_KEY"))
if err != null {
log("Decryption error: " + err, level: "error")
} else {
. = merge(., parse_json!(decrypted))
del(.encryptedPayload)
}