Skip to content
Last updated July 2, 2026

SIEM Forwarding

SIEM Forwarding lets you push HostAtlas events — alerts, incidents, audit-log entries, agent events — into your existing security-log pipeline in real time. You configure one or more Forwarders, each with a destination endpoint, an output format, an authentication method and an optional event-type filter.

You’ll find it in the sidebar under Security & Compliance → SIEM Forwarding.

The main page lists every forwarder configured for your tenant, with:

  • Name, endpoint, format, transport.
  • Active / paused toggle.
  • Last success at and last error at timestamps.
  • The last error message, if the most recent send failed.

Clicking a forwarder opens its config for editing.

  • Add a forwarder — see the fields below.
  • Send a test event — a synthetic event of type test.event is formatted and shipped exactly the way real events would be. The result (success or the raw error string) is shown inline so you can iterate on TLS certs / auth headers without waiting for a real event to fire.
  • Edit or delete an existing forwarder.
  • Pause a forwarder without deleting it (leaves the config in place).
  • Restrict which events go out by listing event types (e.g. alert.fired,incident.opened), or leave the field as * for all events.
  • Add custom headers (one Key: Value per line) — useful for tenant tags, routing hints or vendor-specific keys.

Each forwarder ships events in one of five formats:

FormatBest for
Generic JSONCustom pipelines, Logstash, Fluent Bit, homegrown collectors.
Syslog RFC 5424Traditional syslog collectors, rsyslog, syslog-ng.
CEF (Common Event Format)ArcSight, QRadar, any ArcSight-compatible SIEM.
ECS (Elastic Common Schema)Elastic Stack, OpenSearch.
Azure Sentinel HTTP Data CollectorMicrosoft Sentinel / Log Analytics workspaces.
  • HTTPS / HTTP — POST the message to an endpoint URL.
  • TLS — raw TLS socket, typical for syslog-ng / rsyslog listeners.
  • TCP / UDP — raw sockets for classic syslog listeners.

No auth header. Fine for private-network endpoints on the same VPC.

Every time HostAtlas raises an event — an alert fires, an incident opens, a policy is created, someone logs in — the event runs through each active forwarder that matches the event-type filter. The event is formatted according to the forwarder’s format, wrapped in the chosen transport, authenticated with the chosen method, and shipped.

  • Sends are asynchronous. A slow SIEM does not slow the UI.
  • last_success_at and last_error_at are updated per send so you can spot a broken pipe on this page.
  • If your endpoint is temporarily unavailable, HostAtlas retries with backoff; events are not queued indefinitely — persistent failure is surfaced as an alert on the forwarder itself.

The Event types field is a comma-separated list of event-type keys, or * for everything. Typical picks:

  • alert.fired,alert.resolved — just alert lifecycle.
  • auth.login,auth.failed,ssh_gatekeeper.* — just security-relevant activity.
  • * — send everything HostAtlas emits.
  • Audit Log — the on-platform search surface for the same event stream.
  • Alerts — one of the biggest sources of forwarded events.
  • Compliance Hub — SIEM forwarding is one of the standard evidence pipelines for SOC 2 / ISO 27001 log-management controls.
Was this page helpful?