Observability
Stream every event to your SIEM, signed and verifiable.
Audit and security events push in real time to Splunk, Datadog, Elastic, Microsoft Sentinel, S3 WORM, or plain syslog. Each event is wrapped in a signed JWT envelope over mTLS. Reconnects replay any gap; drains stop gracefully.
Synaptyx
Splunk
Datadog
Elastic
Sentinel
S3 WORM
Syslog
How it works
1
Event emitted
An audit row is signed and broadcast to the SIEM pusher.
2
Wrapped in JWT
Event + audit signature wrapped in a JWS envelope keyed per destination.
3
Pushed over mTLS
Mutual TLS to your sink. No plaintext, no API key in transit.
4
Replay on reconnect
Gaps are auto-replayed from the durable buffer.
Deep dives
Signed envelopes
Your sink verifies the JWS signature with our pubkey - events can't be forged in transit, and your SIEM can prove provenance during an audit.
Delivery guarantees
At-least-once with idempotent IDs. Backpressure when your sink slows. Drain mode flushes pending then stops cleanly.
WORM / compliance sinks
S3 Object Lock in governance or compliance mode for immutable storage - auditors get retention proof out of the box.
Configure a sink
config · yaml
sinks:
- name: splunk-prod
kind: splunk_hec
endpoint: https://splunk.acme.internal:8088
mtls:
cert_ref: vault://platform/splunk/client-cert
filters:
- action_prefix: audit.session → include
- action_prefix: audit.vault → include
- jsonpath: $.actor.role == "viewer" → exclude
delivery:
format: ecs
batch: 100
backoff: 2s → 30s
Your SIEM is the source of truth - we just feed it, signed.
When the breach inquiry comes in, the auditor uses your signed records - not ours. We're the courier.
Compare
| Synaptyx | Webhooks (unsigned) | Manual log export | |
|---|---|---|---|
| Real-time delivery | mTLS push | unsigned POST | batch only |
| Signed envelopes | JWS · per sink key | no | no |
| Replay on reconnect | durable buffer | drop on failure | N/A |
| Multiple sinks | all simultaneously | one URL | manual |
| WORM compliance | S3 Object Lock (Enterprise) | no | no |
FAQ
Events buffer locally (default 30 days) and replay on reconnect with idempotent IDs. The control plane keeps running.
Yes. A common setup is Splunk for SOC + S3 WORM for compliance + Datadog for engineering - all from the same event stream with independent filter rules.
ECS (Elastic Common Schema) by default; raw_json, CEF, LEEF, syslog, and OCSF variants are available per sink, plus custom field mappings via a YAML transform.
Per-sink filter rules support jsonpath → redact. PII fields can be stripped before they reach lower-trust sinks.
Ready to govern your AI infrastructure?
Request access in minutes - or talk to us about your air-gap deployment.