Skip to content

SIEM Integration and Audit Log Analysis

Excalibur supports integration with Security Information and Event Management (SIEM) systems to enable continuous auditing, centralized log analysis, and security monitoring. Integration is based on the standard syslog protocol, ensuring broad compatibility with industry-standard SIEM platforms.

SIEM Compatibility

Excalibur supports all SIEM solutions that accept standard syslog input. This vendor-neutral approach allows customers to use their preferred SIEM without requiring custom connectors or proprietary agents.

Key points:

  • Protocol: Standard syslog
  • Format: SIEM-compatible audit logs
  • Compatibility: Any SIEM supporting syslog ingestion

This makes Excalibur suitable for both on-premises and cloud-based security monitoring architectures.

Encryption and Transport

Excalibur has been tested with unencrypted syslog.

From a technical perspective, encrypted syslog (for example, syslog over TLS) should also function correctly if supported and configured on the SIEM side.

Any previously mentioned "limitations" refer specifically to log transport encryption, not to SIEM functionality or log content.

Supported SIEM Platforms

Because Excalibur uses the syslog standard, it integrates with common enterprise SIEM solutions such as:

  • Splunk Enterprise Security
  • IBM QRadar
  • Microsoft Sentinel
  • Elastic Security (Elastic SIEM)
  • LogRhythm

Once Excalibur audit logs are ingested into a SIEM, monitor for:

  1. Creation, suspension, or modification of privileged users

    • Monitor when privileged access inside Excalibur is granted, changed, or removed.
    • Example: someone is added to an admin role or given access to production systems.

  2. Access to critical or sensitive data

    • Monitor when users access high-risk targets via Excalibur.
    • Example: connecting to a production database, domain controller, or other sensitive server.

  3. Unusual activity (e.g., large or unexpected deletions)

    • Monitor for abnormal behaviour during or around privileged sessions.
    • Examples:
      • Access at unusual times
      • Sudden spike in sessions
      • Bulk downloads of session recordings
      • Behaviour that deviates from a user's normal pattern

  4. Changes to user roles or permissions

    • Monitor changes to RBAC or access policies in Excalibur.
    • Example: someone changes who can access which targets or elevates permissions.

  5. Administrative updates to systems, databases, or servers

    • Monitor significant system-level changes made through privileged access.
    • Examples:
      • Modifying server configurations
      • Changing database settings
      • Updating Excalibur configuration (targets, connectors, policies)

Benefits

Using a SIEM with Excalibur audit logs provides:

  • Centralized security visibility
  • Faster detection of abnormal or suspicious behavior
  • Improved incident investigation
  • Support for security audits and compliance requirements

For detailed SIEM guidance, see the Auditor Manual.