SIEM Integration¶

SentriKat can forward vulnerability events to your SIEM via syslog, enabling centralized security monitoring and correlation with other security data sources.

New in v1.0.2

SIEM/syslog integration was added in SentriKat v1.0.2.

PRO Feature

SIEM integration requires a PRO license.

Supported SIEMs¶

SentriKat has been tested with:

SIEM	Protocol	Format
Splunk	Syslog (TCP/UDP)	CEF, JSON
Elastic / ELK	Syslog (TCP)	JSON, RFC 5424
ArcSight	Syslog (TCP)	CEF
QRadar	Syslog (TCP/UDP)	CEF, RFC 5424

Any SIEM that accepts syslog input will work with SentriKat.

Configuration¶

Environment Variables¶

Configure SIEM forwarding in your .env file:

# Enable SIEM forwarding
SIEM_ENABLED=true

# Syslog destination
SIEM_HOST=siem.company.local
SIEM_PORT=514
SIEM_PROTOCOL=tcp  # tcp or udp

# Log format: cef, json, or rfc5424
SIEM_FORMAT=cef

# TLS encryption (recommended for TCP)
SIEM_TLS=false
SIEM_TLS_CERT=/certs/siem-client.pem
SIEM_TLS_VERIFY=true

After setting these variables, restart SentriKat:

docker compose restart sentrikat

Web UI Configuration¶

You can also configure SIEM settings via the admin panel:

Go to Admin > Settings > SIEM Integration
Enter your SIEM host and port
Select the log format
Click Test Connection
Save

Log Formats¶

CEF (Common Event Format)¶

The CEF format is widely supported by enterprise SIEMs (ArcSight, QRadar, Splunk):

CEF:0|SentriKat|VulnMgmt|1.0.2|KEV_MATCH|Vulnerability Matched|9|
  src=agent-hostname
  cve=CVE-2024-3400
  severity=Critical
  product=PAN-OS
  vendor=Palo Alto Networks
  status=AFFECTED
  dueDate=2024-04-19
  ransomware=Yes
  epss=0.972
  org=Acme Corp

JSON¶

Structured JSON for Elastic/ELK and modern SIEMs:

{
  "timestamp": "2026-02-11T10:30:00Z",
  "event_type": "kev_match",
  "severity": "Critical",
  "cve_id": "CVE-2024-3400",
  "product": "PAN-OS",
  "vendor": "Palo Alto Networks",
  "status": "AFFECTED",
  "confidence": "high",
  "due_date": "2024-04-19",
  "ransomware": true,
  "epss_score": 0.972,
  "organization": "Acme Corp",
  "agent_hostname": "fw-01.corp.local"
}

RFC 5424¶

Standard syslog format with structured data:

<134>1 2026-02-11T10:30:00Z sentrikat vulnmgmt - KEV_MATCH [vuln@sentrikat cve="CVE-2024-3400" severity="Critical" product="PAN-OS" status="AFFECTED" dueDate="2024-04-19"] Vulnerability CVE-2024-3400 matched on PAN-OS

Event Types¶

SentriKat forwards the following event types:

Event	Trigger	Severity Mapping
`kev_match`	New KEV vulnerability matches a product	Based on CVSS
`status_change`	Vulnerability status changes (e.g., AFFECTED → RESOLVED)	Informational
`due_date_approaching`	KEV due date within configured threshold	Warning
`due_date_overdue`	KEV due date has passed	High
`new_agent`	New agent registered	Informational
`agent_offline`	Agent missed check-in threshold	Warning

Filtering¶

Control which events are forwarded:

# Only forward events at or above this severity (critical, high, medium, low, info)
SIEM_MIN_SEVERITY=high

# Event types to forward (comma-separated, or "all")
SIEM_EVENT_TYPES=kev_match,status_change,due_date_overdue

# Only forward events from specific organizations (comma-separated org IDs, or "all")
SIEM_ORGANIZATIONS=all

SIEM-Specific Setup¶

Splunk¶

In Splunk, go to Settings > Data Inputs > TCP or UDP
Add a new input on the port SentriKat will send to
Set Source Type to sentrikat or cef depending on your format
Configure SentriKat with the Splunk receiver's host and port

Elastic / ELK¶

Configure a Logstash syslog input:

input {
  syslog {
    port => 5514
    codec => json_lines
  }
}

Create an index template for SentriKat events
Point SentriKat to your Logstash host

QRadar¶

In QRadar, go to Admin > Data Sources > Log Sources
Add a new log source with protocol Syslog
Set the log source type to Universal CEF
Configure SentriKat to use CEF format

Testing¶

Verify SIEM forwarding is working:

# Send a test event via the admin panel
# Admin > Settings > SIEM Integration > Send Test Event

# Or via API
curl -X POST http://localhost:5000/api/admin/siem/test \
  -H "Authorization: Bearer YOUR_TOKEN"

Troubleshooting¶

Events Not Arriving¶

Verify SIEM_ENABLED=true in your .env
Check network connectivity: docker compose exec sentrikat nc -zv siem.company.local 514
Verify your SIEM is listening on the configured port
Check SentriKat logs: docker compose logs sentrikat | grep SIEM

TLS Connection Issues¶

Verify the certificate is mounted into the container
Check certificate expiry and chain
Try with SIEM_TLS_VERIFY=false temporarily to isolate certificate issues

Next Steps¶

Alerts for email and webhook notifications
Issue Trackers for Jira/GitHub/GitLab integration
Notifications for email and webhook configuration