SIEM Sync (Real-time Log Forwarding)
Volidator allows you to forward real-time, end-to-end encrypted audit logs directly to your security information and event management (SIEM) telemetry pipelines.
Because Volidator enforces Zero-Knowledge storage, logs are forwarded to SIEM endpoints in their encrypted ciphertext format. Decryption and validation happen at your perimeter ingestion layer.
1. Supported Telemetry Platforms
Section titled “1. Supported Telemetry Platforms”Currently, Volidator supports native outbound edge integrations for:
- Datadog Logs API: Send log arrays to Datadog’s HTTP intake endpoints.
- Splunk HTTP Event Collector (HEC): Stream event streams directly to Splunk HEC.
2. In-Browser Credentials Encryption
Section titled “2. In-Browser Credentials Encryption”For maximum security, your SIEM credentials (like your Datadog API Key or Splunk HEC token) are never stored in plaintext by Volidator.
When you input keys in the Volidator settings dashboard, your browser retrieves the project public key and encrypts the credentials using RSA-4096 locally. They are decrypted only in volatile memory during active log forwarding at the edge.
3. Configuring Ingestion Channels
Section titled “3. Configuring Ingestion Channels”To set up SIEM forwarding:
- Navigate to the project settings page on the Volidator dashboard.
- Select your Integration Platform.
- Enter your SIEM Ingress Endpoint URL (e.g.,
https://http-intake.logs.datadoghq.com/api/v2/logsfor Datadog). - Enter your token or API key.
- Click Enable Forwarding.
4. Integrity and Signature Verification
Section titled “4. Integrity and Signature Verification”To prevent injection and spoofing attacks, Volidator attaches a cryptographic signature header X-Volidator-Signature to all outbound SIEM posts.
The header uses a per-project HMAC-SHA-256 signing secret generated in your browser when configuring the channel.
Signature Format
Section titled “Signature Format”The signature header is formatted as:
X-Volidator-Signature: t=1782714615,v1=912b3a0feec6ab370132c82...tis the Unix timestamp (for clock-skew replay protection).v1is the computed HMAC signature oftconcatenated with the raw post body (t.body).
5. Perimeter Decryption with Vector
Section titled “5. Perimeter Decryption with Vector”To decrypt payloads and verify signatures before they reach your internal indices, you can configure a perimeter Vector layer. Below is a sample VRL (Vector Remap Language) configuration to perform this check:
# 1. Verify X-Volidator-Signature header to validate authenticitysignature_header = .headers["x-volidator-signature"] ?? ""parts, err = parse_key_value(signature_header, delimiter: ",", pair_delimiter: "=")
if err == null && exists(parts.t) && exists(parts.v1) { # Clock-Skew Replay Protection (Enforce max 5-minute skew) current_time = to_unix_timestamp(now()) skew = abs(current_time - to_integer!(parts.t)) if skew > 300 { abort("Replay attack detected: clock skew exceeds 300 seconds") }
# Hex-decode your secret key and verify HMAC-SHA-256 signing_key = decode_hex!(env("VOLIDATOR_SIGNING_SECRET")) expected_sig = hmac_sha256(parts.t + "." + .raw_body, signing_key) if expected_sig != parts.v1 { abort("Invalid payload signature: verification failed") }} else { abort("Missing or malformed X-Volidator-Signature header")}
# 2. Decrypt AES-256-GCM log payload using your vault keydecrypted, err = decrypt_aes_gcm(.encryptedPayload, key: env("VOLIDATOR_ENCRYPTION_KEY"))if err != null { log("Decryption error: " + err, level: "error")} else { . = merge(., parse_json!(decrypted)) del(.encryptedPayload)}