Skip to content

SIEM Integration

Section: Operations | Article 43
Audience: System Administrators, Security Engineers
Last Updated: 2026-04-07

Overview

RP-PAM can forward audit events and log data to your Security Information and Event Management (SIEM) platform in real time. This allows your security team to correlate PAM events with other infrastructure logs, build alerts, and meet compliance requirements.

Using the Web Portal

SIEM targets can be configured directly from the RP-PAM web portal without editing rppam.config manually. Navigate to SIEM in the sidebar (requires admin role for configuration changes; security_admin can view targets and send test events).

Adding a SIEM Target

  1. Click Add Target
  2. Select the target type (Splunk HEC, Microsoft Sentinel, Syslog, or HTTP Webhook)
  3. Fill in the required fields (endpoint URL, authentication token, etc.)
  4. Configure optional settings (batch size, flush interval, SSL verification)
  5. Click Save
  6. Restart the RP-PAM service for the new target to take effect

Editing or Removing Targets

Each configured target appears in the targets table with Edit and Remove buttons. Changes are written to rppam.config automatically. A restart is required after any change.

Testing Connectivity

Click Send Test Event to send a test audit event to all configured SIEM targets. The result shows whether each target received the event successfully. You can then verify receipt in your SIEM platform.

Multiple Targets

You can add as many targets as needed. For example, send events to both Splunk and a syslog server simultaneously. Each target operates independently — a failure in one target does not block delivery to others.

Tip: The portal provides a visual interface for the same configuration described in the CLI sections below. Both methods produce identical results in rppam.config.

Supported Targets

Target Protocol Use Case
Splunk HEC HTTPS (HTTP Event Collector) Splunk Cloud or Splunk Enterprise
Microsoft Sentinel HTTPS (Log Analytics Data Collector API) Azure-based SIEM
Syslog TCP/UDP (RFC 5424) Any syslog-compatible SIEM (QRadar, LogRhythm, ArcSight, etc.)
HTTP Webhook HTTPS (POST) Custom SIEM or log aggregation (Elastic, Datadog, etc.)

You can configure multiple targets simultaneously. For example, you can send events to both Splunk and syslog.

Configuration

SIEM integration is configured in the siem section of rppam.config.

Splunk HEC

{
  "siem": {
    "targets": [
      {
        "type": "splunk-hec",
        "enabled": true,
        "url": "https://splunk.corp.local:8088/services/collector/event",
        "token": "your-hec-token-here",
        "index": "pam_events",
        "sourcetype": "rppam:audit",
        "verifySsl": true,
        "batchSize": 50,
        "flushIntervalSeconds": 10
      }
    ]
  }
}
Field Required Description
url Yes Splunk HEC endpoint URL
token Yes HEC authentication token
index No Target Splunk index (default: Splunk's default index)
sourcetype No Splunk sourcetype (default: rppam:audit)
verifySsl No Verify Splunk's TLS certificate (default: true)
batchSize No Number of events per batch (default: 50)
flushIntervalSeconds No Maximum seconds between flushes (default: 10)

Microsoft Sentinel

{
  "siem": {
    "targets": [
      {
        "type": "sentinel",
        "enabled": true,
        "workspaceId": "your-workspace-id",
        "sharedKey": "your-shared-key",
        "logType": "RpPamAudit",
        "batchSize": 50,
        "flushIntervalSeconds": 10
      }
    ]
  }
}
Field Required Description
workspaceId Yes Log Analytics workspace ID
sharedKey Yes Primary or secondary workspace key
logType No Custom log table name (default: RpPamAudit; appears as RpPamAudit_CL in Sentinel)

Syslog

{
  "siem": {
    "targets": [
      {
        "type": "syslog",
        "enabled": true,
        "host": "syslog.corp.local",
        "port": 514,
        "protocol": "tcp",
        "facility": "local0",
        "useTls": false,
        "format": "rfc5424"
      }
    ]
  }
}
Field Required Description
host Yes Syslog server hostname or IP
port No Syslog port (default: 514)
protocol No tcp or udp (default: tcp)
facility No Syslog facility (default: local0)
useTls No Enable TLS for TCP connections (default: false)
format No rfc5424 or rfc3164 (default: rfc5424)

HTTP Webhook

{
  "siem": {
    "targets": [
      {
        "type": "http-webhook",
        "enabled": true,
        "url": "https://logs.corp.local/api/v1/ingest",
        "method": "POST",
        "headers": {
          "Authorization": "Bearer your-api-key",
          "X-Source": "rppam"
        },
        "verifySsl": true,
        "batchSize": 50,
        "flushIntervalSeconds": 10,
        "timeoutSeconds": 30
      }
    ]
  }
}
Field Required Description
url Yes Webhook endpoint URL
method No HTTP method (default: POST)
headers No Custom HTTP headers (key-value pairs)
verifySsl No Verify TLS certificate (default: true)
timeoutSeconds No Request timeout (default: 30)

Multiple Targets

You can send events to multiple targets simultaneously:

{
  "siem": {
    "targets": [
      {
        "type": "splunk-hec",
        "enabled": true,
        "url": "https://splunk.corp.local:8088/services/collector/event",
        "token": "hec-token"
      },
      {
        "type": "syslog",
        "enabled": true,
        "host": "syslog.corp.local",
        "port": 514,
        "protocol": "tcp"
      }
    ]
  }
}

Applying the Configuration

After editing rppam.config (manually or via the web portal), restart the service for changes to take effect.

Windows: 

Restart-Service -Name "RpPam"

Linux: 

sudo systemctl restart rppam

Note: If you configured SIEM targets through the web portal, the portal displays a reminder banner: "Configuration changed. Restart the RP-PAM service for changes to take effect."

Event Types

RP-PAM forwards the following event categories to your SIEM:

Category Events Severity
Authentication Login success, login failure, MFA challenge, token refresh Info / Warning
Authorization Access denied, role change, permission update Warning
Grants Grant created, grant activated, grant expired, grant revoked Info
Vault Secret accessed, secret created, secret rotated Info
Admin Config change, module enabled/disabled, user created/deleted Info
Break-Glass Emergency access activated, emergency access deactivated Critical
Module AD group added/removed, SSH key installed/removed, DB user created/dropped Info
System Service start/stop, health check failure, certificate expiry warning Info / Warning

Verifying Events Are Flowing

Check SIEM Target Status

PowerShell: 

Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/admin/siem/status" `
    -Headers @{ Authorization = "Bearer $adminJwt" }

curl: 

curl -s "https://rppam.corp.local:7101/api/v1/admin/siem/status" \
  -H "Authorization: Bearer $ADMIN_JWT" | jq .

Expected response: 

{
  "targets": [
    {
      "type": "splunk-hec",
      "status": "connected",
      "lastEventSentUtc": "2026-04-07T14:30:00Z",
      "eventsSentLast24h": 1247,
      "errorCount": 0
    }
  ]
}

Send a Test Event

PowerShell: 

Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/admin/siem/test" `
    -Method POST `
    -Headers @{ Authorization = "Bearer $adminJwt" }

curl: 

curl -s -X POST "https://rppam.corp.local:7101/api/v1/admin/siem/test" \
  -H "Authorization: Bearer $ADMIN_JWT" | jq .

This sends a test event to all configured targets. Check your SIEM to confirm receipt.

Verify in Splunk

index="pam_events" sourcetype="rppam:audit" | head 10

Verify in Sentinel

RpPamAudit_CL
| take 10
| order by TimeGenerated desc

Troubleshooting

Problem Cause Solution
Status shows "disconnected" Target unreachable Check network connectivity and firewall rules to the SIEM endpoint
"401 Unauthorized" in logs Invalid token or key Verify the HEC token, shared key, or API key is correct
"Certificate validation failed" Self-signed cert on SIEM endpoint Add the CA cert to the trust store, or set verifySsl: false (not recommended for production)
Events delayed Batch not flushed Reduce flushIntervalSeconds or batchSize for near-real-time delivery
Duplicate events in SIEM Multiple RP-PAM nodes sending This is expected in HA — use the TraceId field to deduplicate
Syslog events not appearing Wrong port or protocol Verify port (514 for standard, 6514 for TLS) and protocol (TCP vs. UDP)
Events stop after restart Config file syntax error Check rppam.config JSON validity; look for parse errors in the main log

Next Steps

RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.