Skip to content

feat: syslog/SIEM export (CEF + JSON over udp/tcp/tcp-tls)#2217

Merged
vivekchand merged 1 commit into
mainfrom
feat/siem-cef-exporter
May 28, 2026
Merged

feat: syslog/SIEM export (CEF + JSON over udp/tcp/tcp-tls)#2217
vivekchand merged 1 commit into
mainfrom
feat/siem-cef-exporter

Conversation

@vivekchand
Copy link
Copy Markdown
Owner

@vivekchand vivekchand commented May 28, 2026

Closes #2199.

Summary

Daemon-side SIEM/syslog exporter that forwards every event to a syslog
collector (Splunk / QRadar / ArcSight / Elastic SIEM / any RFC 5424
receiver) as CEF or JSON. Off by default; activates when
CLAWMETRY_SIEM_HOST is set. Composes with the redaction (#2204) and
hash-chain (#2210) cluster — by the time an event reaches the SIEM hook
it has been scrubbed of secrets and stamped with chain_prev_hash /
chain_hash.

Files

File Lines Purpose
clawmetry/siem.py (new) ~470 Formatters + bounded-queue exporter
clawmetry/local_store.py +9 forward_event hook after redaction
tests/test_siem.py (new) ~297 21 unit tests (no real sockets in CI)

Configuration (env vars)

var default purpose
CLAWMETRY_SIEM_HOST (unset) enables the exporter when set
CLAWMETRY_SIEM_PORT 514 syslog port
CLAWMETRY_SIEM_PROTOCOL udp udp / tcp / tcp-tls
CLAWMETRY_SIEM_FORMAT cef cef / json
CLAWMETRY_SIEM_FACILITY 16 syslog facility (local0)
CLAWMETRY_SIEM_APPNAME clawmetry RFC 5424 APP-NAME

Event taxonomy (CEF signature IDs)

Stable map: tool.call → 1001, tool.result → 1002, mcp_call → 1003,
channel.in → 2001, channel.out → 2002, model.completed → 3001,
session.started → 4001, budget_exceeded → 5001, security_threat →
6001, approval_required → 7001, cron_run → 8001, daemon.error →
9002, unknown → 9999. New event types fall through to 9999 rather than
crashing, so adding a new event type does not require a SIEM-side
change.

Local verify (FLYWHEEL §3)

=== UDP (cef) — nc -ul 15514 ===
sent=3 dropped=0 errors=0
<134>1 2026-05-28T07:30:00Z - clawmetry - tool.call - CEF:0|ClawMetry|clawmetry|1.0|1001|Tool Call|3|...
<134>1 ...
<134>1 ...

=== TCP (json) — nc -l 15515 ===
sent=2 errors=0
<134>1 2026-05-28T07:30:01Z - clawmetry - model.completed - {"chain_hash":"...","chain_prev_hash":"0000...", ...}
<134>1 ...

=== pytest ===
21 tests, all pass (security cluster sweep: 42 pass).

Done bar

Daemon-side only; no cloud route or pin change.

🤖 Generated with Claude Code

@vivekchand @claude
feat: syslog/SIEM export (CEF + JSON over udp/tcp/tcp-tls)
6445ad1 
Daemon-side SIEM/syslog exporter — Issue #2199. Forwards ClawMetry
events to Splunk / QRadar / ArcSight / Elastic SIEM or any RFC 5424
collector. Off by default; activates when `CLAWMETRY_SIEM_HOST` is set.

## What

- `clawmetry/siem.py` (~330 LOC): pure formatter functions
  (`format_cef`, `format_json`, `format_syslog_line`) + a bounded-queue
  `SIEMExporter` with a single background sender thread + env-var driven
  singleton getter (`get_default_exporter` / `forward_event`).
- `clawmetry/local_store.py` (+9 LOC): SIEM forward hook in
  `ingest()`, called *after* the redaction pass (#2204) so secrets
  never reach syslog either, and *after* the hash chain stamp (#2210)
  so the SIEM line carries the same audit-grade payload as DuckDB.
  Composes cleanly with both.
- `tests/test_siem.py` (~250 LOC, 21 tests): CEF formatting for tool
  call/result/LLM-usage/security-threat/unknown-fallthrough; CEF
  escaping (\, =, |, \n); JSON formatting + non-serialisable fallback;
  RFC 5424 priority + ISO-8601 timestamp coercion; `SIEMExporter`
  drains queue / drops without blocking / counts writer errors;
  singleton wiring + env-var dispatch / unknown protocol disables.

## Configuration (env vars)

| var                           | default     | purpose                         |
|-------------------------------|-------------|---------------------------------|
| `CLAWMETRY_SIEM_HOST`         | (unset)     | enables the exporter when set   |
| `CLAWMETRY_SIEM_PORT`         | `514`       | syslog port                     |
| `CLAWMETRY_SIEM_PROTOCOL`     | `udp`       | `udp` / `tcp` / `tcp-tls`       |
| `CLAWMETRY_SIEM_FORMAT`       | `cef`       | `cef` / `json`                  |
| `CLAWMETRY_SIEM_FACILITY`     | `16`        | syslog facility (local0)        |
| `CLAWMETRY_SIEM_APPNAME`      | `clawmetry` | RFC 5424 APP-NAME               |

## Event taxonomy (CEF signature IDs)

Stable map: tool.call/tool_call → 1001, tool.result → 1002, mcp_call →
1003, channel.in → 2001, channel.out → 2002, model.completed → 3001,
session.started → 4001, budget_exceeded → 5001, security_threat → 6001,
approval_required → 7001, cron_run → 8001, daemon.error → 9002,
unknown → 9999. New event types fall through to 9999 rather than
crashing, so adding a new event type does not require a SIEM-side change
to be observed.

## Local verify (FLYWHEEL §3 acceptance)

UDP — `nc -ul 15514` listener received 3 CEF lines from
`forward_event(...)` with `sent=3 dropped=0 errors=0`.

TCP — `nc -l 15515` listener received 2 JSON-format events carrying the
hash-chain `chain_prev_hash`/`chain_hash` fields, one line each.

Pytest — 21 new tests pass (`tests/test_siem.py`); 42 tests pass across
the security cluster (redaction + integrity + siem).

## Done bar

- [x] Off by default (no env var → no behaviour change, zero overhead).
- [x] `ingest()` never blocks on socket IO (bounded queue, async worker).
- [x] Collector unreachable does not crash ingest (counted, dropped).
- [x] Composes with #2204 redaction and #2210 hash chain.
- [x] CEF lines parse cleanly in a real syslog collector (verified with
      netcat).

Daemon-side only; no cloud route or pin change.

Closes #2199.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@vivekchand vivekchand added the persona-skip Persona-pass cron skips this PR (backend-only, infra, or manually approved) label May 28, 2026
@vivekchand vivekchand merged commit 74291c9 into main May 28, 2026
19 checks passed
@vivekchand vivekchand deleted the feat/siem-cef-exporter branch May 28, 2026 07:09
@vivekchand vivekchand mentioned this pull request May 28, 2026
Merged
5 tasks
vivekchand added a commit that referenced this pull request May 28, 2026
@vivekchand @claude
[RELEASE] SIEM export + verify-integrity daemon-proxy fix (carries #2217
b0035aa 
 + #2222)

CHANGELOG entries for two changes already on main:

1. #2217 — syslog/SIEM export (CEF + JSON over udp/tcp/tcp-tls). New
   Enterprise-grade exporter; off by default. Closes #2199.

2. #2222 — verify-integrity CLI daemon-proxy crash fix. Caught by
   FLYWHEEL §7 live verification immediately after 0.12.342 shipped:
   the new CLI subscript-crashed against any standard install because
   verify_integrity wasn't in the daemon-proxy method allowlist. Two-
   layer fix (allowlist + CLI graceful-None) plus 3 regression tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
vivekchand added a commit that referenced this pull request May 28, 2026
@vivekchand
[RELEASE] SIEM export + verify-integrity daemon-proxy fix (carries #2217
499eafa 
 + #2222) (#2232)

See PR body + CHANGELOG entries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

persona-skip Persona-pass cron skips this PR (backend-only, infra, or manually approved)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: syslog/SIEM export (CEF + JSON over udp/tcp/tcp-tls)

1 participant

@vivekchand