Audit log export connector
The audit log export connector feature allows administrators to configure one or more connectors that forward OpenIAM audit events to external systems such as Splunk, a syslog server, or any generic webhook endpoint. Connectors can operate in real time (streaming events as they occur) or on a scheduled interval (batch export).
Accessing audit log export connectors
Navigate to Webconsole > Audit Log Export Connectors (/webconsole/audit-export-connectors).
The search screen displays all configured connectors with the following columns:
| Column | Description |
|---|---|
| Name | The display name of the connector. |
| Connector Type | SYSLOG, SPLUNK_HEC, or GENERIC_WEBHOOK. |
| Mode | REALTIME or SCHEDULED. |
| Enabled | Whether the connector is active. |
Click a connector name to edit it, or click Add to create a new one.
Creating / Editing a connector
The edit screen is divided into three sections.
General settings
| Field | Type | Required | Description |
|---|---|---|---|
| Name | Text | Yes | A unique display name for this connector. |
| Connector Type | Select | Yes | The target system type: SYSLOG, SPLUNK_HEC, or GENERIC_WEBHOOK. |
| Export Mode | Select | Yes | REALTIME — events are forwarded as they occur; SCHEDULED — events are batched and sent on an interval. |
| Enabled | Checkbox | — | Enables or disables the connector without deleting it. |
| Send Child Rows | Checkbox | — | When enabled, child or related audit log rows are included in each exported event. |
| Actions | Multi-select | — | The specific audit action types to export. If left empty, behavior depends on backend configuration. Selecting actions filters which events are forwarded. |
| Schedule Interval (ms) | Number | Conditional | Visible only when Export Mode is SCHEDULED. Defines how frequently (in milliseconds) the batch export runs. |
Syslog settings
Visible only when Connector Type is SYSLOG.
| Field | Type | Required | Description |
|---|---|---|---|
| Hostname | Text | Yes | The hostname or IP address of the target syslog server. |
| Port | Number | Yes | The UDP/TCP port of the syslog server. |
| Facility | Text | No | Syslog facility value (e.g., LOCAL0). |
| Severity | Text | No | Syslog severity level (e.g., INFO, WARNING). |
| Ident | Text | No | Application identifier included in the syslog message header. |
| Message Order | Text | No | Controls the ordering of fields within the syslog message. |
| Verify TLS Certificate | Checkbox | — | When enabled, the server's TLS certificate is validated. |
HTTP settings
Visible only when Connector Type is SPLUNK_HEC or GENERIC_WEBHOOK.
| Field | Type | Required | Description |
|---|---|---|---|
| HTTP Endpoint URL | Text | Yes | The full URL of the target endpoint (e.g., Splunk HEC URL). |
| Authentication Token | Password | No | Bearer or API token sent with each request. Displayed as after saving; leave as when editing to keep the existing value. |
| Auth Header Name | Text | No | The HTTP header name used to pass the token (defaults to the standard Authorization header if left blank). |
| Verify TLS Certificate | Checkbox | — | When enabled, the server's TLS certificate is validated. |
Connector types
SYSLOG
Forwards audit events in syslog format over the network to a syslog aggregator or SIEM. Configure the target host, port, and optional syslog fields (facility, severity, ident).
SPLUNK_HEC
Sends audit events to a Splunk HTTP Event Collector endpoint. Requires the HEC URL and a valid HEC token.
GENERIC_WEBHOOK
Sends audit events as HTTP POST payloads to any HTTP endpoint. Useful for integrations with custom log pipelines, alerting systems, or other SIEMs.
Export modes
REALTIME
Events are forwarded to the target system as they are generated. This mode is suitable for use cases requiring low-latency visibility into audit activity (e.g., security alerting in Splunk).
SCHEDULED
Events are collected and forwarded in batches at a configurable interval defined by Schedule Interval (ms). This mode is suitable for non-latency-sensitive exports or when the target system has rate limits.
Saving and deleting
| Action | Description |
|---|---|
| Save | Creates or updates the connector. On success, the page redirects to the edit view for the saved connector. |
| Delete | Permanently removes the connector. Only available when editing an existing connector. |
| Cancel | Discards unsaved changes and returns to the search screen. Only available when editing an existing connector. |
- The Authentication Token field intentionally masks the stored value as *** for security. Leave it as *** if you do not intend to change the token.
- Multiple connectors can be configured simultaneously, each targeting different systems or filtering different event types.
- The Actions multi-select is populated dynamically from the full list of available AuditAction values in the system.