Olympus Docs
CookbookDefensive security

Export audit log to a SIEM

Ship Olympus's security_audit events to Splunk, Datadog, or Elastic

For SOC 2 / ISO 27001 compliance, audit events should land in a central, immutable SIEM with retention.

Source: security_audit table

The SDK writes every security-relevant event to olympus.security_audit:

SELECT event_type, identity_id, source_ip, metadata, created_at
FROM security_audit
ORDER BY created_at DESC
LIMIT 10;

Approach 1: Pull from Postgres

A scheduled job pulls new events since the last cursor:

# Daily cron
LAST_TS=$(cat /var/lib/olympus/last-audit-ts)
psql olympus -c "
  COPY (
    SELECT row_to_json(security_audit) FROM security_audit
    WHERE created_at > '$LAST_TS'
  ) TO STDOUT
" | gzip | curl -X POST --data-binary @- \
  -H "Authorization: Bearer $SPLUNK_HEC_TOKEN" \
  https://splunk.your-domain/services/collector
echo "$(date -u +%FT%TZ)" > /var/lib/olympus/last-audit-ts

Simple but introduces lag (up to one cron interval).

Approach 2: Real-time via Postgres logical replication

For real-time:

  1. Enable wal_level=logical on Postgres.
  2. Create a publication for security_audit.
  3. Use Debezium or pg2something to stream changes.

Higher complexity, near-zero lag.

Approach 3: Direct stdout shipping

Configure the SDK to emit each audit event to stdout (process.stdout.write(JSON.stringify(...))). The container log shipper (Promtail, Datadog Agent, fluent-bit) picks them up.

// In sdk/src/security-audit.ts
process.stdout.write(JSON.stringify({
  type: "audit",
  ...event,
}) + "\n");

Then in your log shipper's parsing rules: route type=audit to your SIEM topic.

This is the cleanest pattern but requires log-shipping infrastructure to be reliable.

Per-SIEM tips

Splunk

Use HEC (HTTP Event Collector). Tag with index=olympus_audit, sourcetype=json. Set retention to 13 months or per your compliance policy.

Datadog

Use the Datadog Agent's logging integration. Configure service:olympus-audit. Set facets on event_type, domain, identity_id.

Elastic / Elasticsearch

Use Filebeat or Logstash. Index pattern olympus-audit-*, with ILM for retention.

Required dashboards / alerts

Set up at minimum:

  1. Failed login rate per minute, spike = attack.
  2. Lockouts applied per hour, spike = distributed attack.
  3. Admin actions, every operation by role=admin is auditable; alert on unusual activity.
  4. Settings changes, event_type=settings.changed should be rare and reviewed.
  5. Encryption-key-related errors, cipher_decrypt_fail is critical.

Retention

  • Hot (queryable), 90 days.
  • Cold (archived), 13 months for SOC 2, 7 years for some regulations.

Use the SIEM's archiving features to move old events out of hot storage.

Stream audit logs to Kafka

Push security events to a Kafka topic for downstream consumers

Audit log search query language

A simple syntax for non-SQL users to filter audit

On this page

Source: security_audit tableApproach 1: Pull from PostgresApproach 2: Real-time via Postgres logical replicationApproach 3: Direct stdout shippingPer-SIEM tipsSplunkDatadogElastic / ElasticsearchRequired dashboards / alertsRetentionRelated