Stream Activity Events to Third-Party SIEMs
openZro emits a structured stream of activity events — peer logins,
posture decisions, admission gate verdicts, policy changes,
configuration updates, IdP-Sync runs — that you can fan out to your
SIEM in real time. The feature ships in the management binary and
is configured via environment variables; see
management/server/activity/exporter
for the implementation.
Supported destinations
| Destination | Wire protocol | Use when |
|---|---|---|
| Datadog | Logs Intake API (HTTPS) | You're already on Datadog and want events alongside the rest of your observability |
| Elastic | Bulk API + ECS-shaped JSON | You run Elastic / Kibana / OpenSearch as your primary SIEM |
| Generic HTTP | POST / PUT to any URL | Anything else — Splunk via HEC, Grafana Loki, Vector, Fluent Bit, a custom endpoint. Optionally with a custom payload template |
The destinations are independent — you can run any combination of the three concurrently. Slow downstreams don't block each other, and a transient outage at one doesn't drop events for the others.
Activity streaming is implemented end-to-end in the BSD-3 open-source build — there is no licensing gate. The streamer runs alongside the rest of the management binary; events are emitted within ~1 second of the originating action.
Per-destination guides
Elastic doesn't have its own walkthrough yet; configure it via the
environment variables documented at
activity/exporter/factory.go
(OPENZRO_ACTIVITY_EXPORT_ELASTIC_*). A walkthrough is on the
roadmap.