Siem
S4E supports forwarding security events to SIEM platforms through syslog, HTTP Event Collector (HEC), and direct API connectors. This page documents the configuration API and provides setup examples for common SIEM products.
Integration Options
| Method | Supported SIEMs |
|---|---|
| Syslog (RFC 5424) | Any syslog-compatible SIEM. |
| CEF (Common Event Format) | ArcSight, QRadar, LogRhythm. |
| Splunk HEC | Splunk Enterprise, Splunk Cloud. |
| Elasticsearch | ELK Stack, OpenSearch. |
| Webhook | Any HTTP-capable SIEM or SOAR. |
Configure SIEM Output
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
type |
string | Yes | Integration type: syslog, splunk_hec, elasticsearch, webhook. |
name |
string | Yes | Integration name. |
config |
object | Yes | Type-specific configuration. |
events |
array | No | Event types to forward (default: all). |
filters |
object | No | Event filters (severity, asset tags). |
active |
boolean | No | Enable/disable (default: true). |
Syslog Configuration
Setup
curl -X POST "https://api.s4e.io/api/integrations/siem" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "syslog",
"name": "QRadar Syslog",
"config": {
"host": "qradar.example.com",
"port": 514,
"protocol": "tcp_tls",
"format": "cef",
"facility": "local0",
"tls": {
"ca_cert": "base64-encoded-ca-cert",
"verify": true
}
},
"events": ["finding.new", "scan.completed"],
"filters": {
"min_severity": "medium"
}
}'
Syslog Protocols
| Protocol | Port (default) | Encryption |
|---|---|---|
udp |
514 | None |
tcp |
514 | None |
tcp_tls |
6514 | TLS 1.2+ |
CEF Output Format
CEF:0|S4E|Platform|2.4.0|finding.new|SQL Injection Detected|9|
src=api.example.com
msg=SQL Injection in /api/login
cs1Label=finding_id cs1=f-91827
cs2Label=severity cs2=critical
cs3Label=cvss cs3=9.8
cs4Label=asset_id cs4=a-1001
rt=Apr 28 2026 12:05:00
RFC 5424 Output Format
<134>1 2026-04-28T12:05:00Z api.s4e.io s4e - finding.new
[s4e finding_id="f-91827" severity="critical" cvss="9.8" asset="api.example.com"]
SQL Injection in /api/login
Splunk HEC Configuration
Setup
curl -X POST "https://api.s4e.io/api/integrations/siem" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "splunk_hec",
"name": "Splunk Production",
"config": {
"endpoint": "https://splunk.example.com:8088/services/collector/event",
"token": "your-hec-token",
"index": "security",
"sourcetype": "s4e:events",
"verify_ssl": true
},
"events": ["finding.new", "scan.completed", "action.completed"]
}'
Splunk Event Format
Events are wrapped in the HEC envelope:
{
"time": 1714305900,
"sourcetype": "s4e:events",
"source": "s4e",
"index": "security",
"event": {
"event_type": "finding.new",
"finding_id": "f-91827",
"title": "SQL Injection in /api/login",
"severity": "critical",
"cvss": 9.8,
"asset": "api.example.com",
"scan_id": "sc-44021"
}
}
Tip
Create a dedicated Splunk index for S4E events. Use sourcetype=s4e:events with a custom Splunk app for field extraction and dashboards.
Elasticsearch / ELK Configuration
Setup
curl -X POST "https://api.s4e.io/api/integrations/siem" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "elasticsearch",
"name": "ELK Stack",
"config": {
"hosts": ["https://elasticsearch.example.com:9200"],
"index_pattern": "s4e-events-{yyyy.MM}",
"auth": {
"username": "elastic",
"password": "your-password"
},
"verify_ssl": true
},
"events": ["finding.new", "scan.completed"]
}'
Alternative --- Logstash Input
If you prefer routing through Logstash, configure S4E as a webhook and use the Logstash HTTP input:
input {
http {
port => 5044
codec => json
ssl_enabled => true
ssl_certificate => "/etc/logstash/certs/logstash.crt"
ssl_key => "/etc/logstash/certs/logstash.key"
}
}
filter {
mutate {
add_field => { "[@metadata][index]" => "s4e-events" }
}
date {
match => [ "timestamp", "ISO8601" ]
target => "@timestamp"
}
if [event] == "finding.new" {
mutate { add_tag => ["finding"] }
}
}
output {
elasticsearch {
hosts => ["https://elasticsearch.example.com:9200"]
index => "s4e-events-%{+YYYY.MM}"
user => "elastic"
password => "changeme"
}
}
Elasticsearch Index Template
{
"index_patterns": ["s4e-events-*"],
"template": {
"settings": {
"number_of_shards": 1,
"number_of_replicas": 1
},
"mappings": {
"properties": {
"event": {"type": "keyword"},
"timestamp": {"type": "date"},
"severity": {"type": "keyword"},
"cvss": {"type": "float"},
"finding_id": {"type": "keyword"},
"asset_id": {"type": "keyword"},
"asset_name": {"type": "text"},
"title": {"type": "text"},
"scan_id": {"type": "keyword"}
}
}
}
}
QRadar Integration
For IBM QRadar, use the syslog integration with CEF format:
curl -X POST "https://api.s4e.io/api/integrations/siem" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "syslog",
"name": "QRadar",
"config": {
"host": "qradar.example.com",
"port": 514,
"protocol": "tcp",
"format": "cef"
}
}'
Configure a QRadar log source with:
- Log Source Type: Universal CEF
- Protocol: Syslog
- Identifier: S4E
Event Field Mapping
| S4E Field | CEF Field | Splunk Field | ELK Field |
|---|---|---|---|
event |
Name |
event_type |
event |
finding.title |
msg |
title |
title |
finding.severity |
cs1 |
severity |
severity |
finding.cvss |
cs3 |
cvss |
cvss |
asset.name |
src |
asset |
asset_name |
timestamp |
rt |
time |
@timestamp |
Managing Integrations
List Integrations
Test Integration
curl -X POST "https://api.s4e.io/api/integrations/siem/siem-001/test" \
-H "Authorization: Bearer YOUR_API_KEY"
Delete Integration
curl -X DELETE "https://api.s4e.io/api/integrations/siem/siem-001" \
-H "Authorization: Bearer YOUR_API_KEY"
Warning
Ensure your SIEM endpoint is reachable from S4E's network. Add S4E egress IP ranges to your SIEM firewall allowlist.
Next Steps
- Webhooks for HTTP-based event delivery.
- Event Streaming for real-time SSE events.
- SIEM Integration Guide for step-by-step setup.