Audit export (SIEM)

Orimora can stream its audit log to an external SIEM (Splunk, Elastic, a syslog collector, …). A background drain reads new audit events in order and pushes them to every configured sink, tracking a persisted cursor so it can resume after a restart or outage.

The exporter is enabled automatically when at least one sink is configured — there is no separate on/off switch. Sinks are configured via environment variables (SIEM wiring belongs in your infrastructure config, not a UI form). A read-only status page lives at Settings → Admin → Audit Export.

Sinks

Configure one or more. Each event is delivered to all configured sinks.

HTTP webhook

POSTs batches as JSON { "events": [ … ] } to your collector. The request goes through Orimora’s SSRF-guarded outbound fetch (private/metadata IPs are rejected).

AUDIT_EXPORT_HTTP_URL=https://siem.example.com/ingest
# Optional: sign the body. Header X-Orimora-Signature: sha256=<hex of HMAC-SHA256(body)>
AUDIT_EXPORT_HTTP_SECRET=a-shared-secret

Syslog (RFC 5424)

Sends one RFC 5424 line per event over UDP (default) or TCP. Facility is local0; severity maps from the event severity (info→6, warning→4, critical→2). The message body is the event JSON.

AUDIT_EXPORT_SYSLOG_HOST=10.0.0.20
AUDIT_EXPORT_SYSLOG_PORT=514
AUDIT_EXPORT_SYSLOG_PROTOCOL=udp   # or tcp

File

Appends newline-delimited JSON (one object per line) to a path — handy for a sidecar log shipper (Vector, Fluent Bit, Promtail).

AUDIT_EXPORT_FILE_PATH=/var/log/orimora/audit-export.ndjson

Tuning

AUDIT_EXPORT_FLUSH_INTERVAL_SECONDS=60   # how often the drain runs
AUDIT_EXPORT_BATCH_SIZE=500              # max events per batch
AUDIT_EXPORT_VISIBILITY_LAG_SECONDS=10   # skip events newer than this (commit-ordering safety)

Delivery guarantees

At-least-once

The cursor advances only after a batch is accepted by every sink. After an outage the exporter replays from the cursor, so your SIEM may receive duplicates — deduplicate downstream on the event id (a stable UUID). Events are delivered in order (seq).

A short visibility lag (default 10s) means an event isn’t exported until it’s a few seconds old; this prevents a transaction that committed slightly late from being skipped by the cursor. Only one instance exports at a time (a Postgres advisory lock), so horizontal scaling is safe.

Verifying it works

On Settings → Admin → Audit Export you can see the enabled sinks, the cursor position, the current backlog (events not yet exported), and the last drain time — and click Send test event to push a synthetic event to your sinks without writing to the audit log.

The event payload looks like:

{
  "id": "…uuid…",
  "seq": 12345,
  "timestamp": "2026-05-31T12:00:00.000Z",
  "teamId": "…",
  "actorId": "…",
  "action": "document.create",
  "resourceType": "document",
  "resourceId": "…",
  "outcome": "success",
  "severity": "info",
  "ip": "203.0.113.5",
  "userAgent": "…",
  "correlationId": "…",
  "metadata": {}
}

See Audit log actions for the full list of action values.