SIEM Integration
Claustrum can push append-only audit events to external SIEM endpoints through Audit Sinks.
Audit Sink Model
audit_sinks: destination + filter + retry policy.audit_delivery_queue: durable delivery queue per(sink_id, audit_log_id).
Delivery Flow
audit_logsrow is inserted.- Matching sinks are selected by
event_filter. - Rows are enqueued into
audit_delivery_queue. - Background worker sends HTTP POST with HMAC signature.
- Success:
delivered, failure: backoff retry, thenfailed.
Signing
Each webhook request includes:
X-Claustrum-EventX-Claustrum-WorkspaceX-Claustrum-DeliveryX-Claustrum-Signature: sha256=<hex>
Signature input:
HMAC_SHA256(secret, raw_json_body)
Retry / Backoff
Per sink retry_policy:
{
"max_attempts": 5,
"backoff_sec": [1, 5, 30, 120, 600]
}
Admin UI
Workspace → Integrations → SIEM
- Create sink
- Test delivery
- Filtered delivery status view (
queued/sending/delivered/failed)