Skip to content

SIEM forwarder

AKKO v2026.04 ships an optional sub-chart akko-siem-forwarder (Fluent Bit, Apache 2.0) that fans out every audit event to one or several corporate SIEMs — Splunk HEC, Microsoft Sentinel, Elastic Stack, or any generic HTTP JSON endpoint (logs layer, Sumo Logic, custom broker).

Addresses NIS2 Art. 21(2)(b) incident handling evidence forwarding.

Enable

# 1. Create the credentials Secret (use SealedSecrets / ExternalSecrets in prod)
kubectl create secret generic akko-siem-creds -n akko \
  --from-literal=splunk_token=$SPLUNK_HEC_TOKEN \
  --from-literal=sentinel_shared_key=$SENTINEL_KEY \
  --from-literal=elastic_api_key=$ELASTIC_KEY

# 2. Upgrade the chart with the targets you want
helm upgrade akko oci://harbor.akko-ai.com/akko-charts/akko \
  --version 2026.04 \
  -f values-harbor.yaml \
  -f values-dev-secrets.yaml \
  --set akko-siem-forwarder.enabled=true \
  --set akko-siem-forwarder.targets.splunk.enabled=true \
  --set akko-siem-forwarder.targets.splunk.hecUrl=https://hec.customer.example:8088 \
  --set akko-siem-forwarder.targets.sentinel.enabled=true \
  --set akko-siem-forwarder.targets.sentinel.workspaceId=<guid>

What gets forwarded

Every record in logs layer tagged audit_type:* is included:

Audit source Tag Produced by
AI function RBAC AI_RBAC akko-ai-service middleware
Catalog lifecycle CATALOG_MANAGER akko-catalog-manager
Tenant lifecycle TENANT_LIFECYCLE akko-tenant Helm hook Jobs
Keycloak events KEYCLOAK kc-events webhook → logs layer
OPA decisions OPA_DECISION OPA decision log plugin
Trino query log TRINO_QUERY trino event listener
object storage audit MINIO_AUDIT object storage audit webhook
GDPR endpoint GDPR akko-catalog-manager routes_gdpr
ADEN receipt ADEN_RECEIPT akko-aden audit_receipt

Target details

Splunk HEC

akko-siem-forwarder:
  enabled: true
  targets:
    splunk:
      enabled: true
      hecUrl: "https://hec.splunk.customer.example:8088"
      tokenSecretName: akko-siem-creds
      tokenSecretKey: splunk_token
      index: "akko"

Fluent Bit splunk output uses HTTPS + TLS verify On + HEC token in the Authorization header.

Microsoft Sentinel

akko-siem-forwarder:
  targets:
    sentinel:
      enabled: true
      workspaceId: "<GUID>"
      sharedKeySecretKey: sentinel_shared_key
      logType: "AKKOAudit"

Fluent Bit azure output POSTs to the Log Analytics data collector API with SHA256 HMAC auth. Logs land in the AKKOAudit_CL custom table.

Elastic Stack

akko-siem-forwarder:
  targets:
    elastic:
      enabled: true
      host: "elastic.customer.example:9200"
      apiKeySecretKey: elastic_api_key
      index: "akko-audit-%{+YYYY.MM.dd}"

Logstash-style daily rotation. If you already run Elastic Security use the .security-* index template.

Generic HTTP JSON

For any other SIEM (Sumo Logic HTTP source, logs layer /loki/api/v1/push, custom broker):

akko-siem-forwarder:
  targets:
    generic_http:
      enabled: true
      url: "https://ingest.customer.example/v1/events"
      authHeaderSecretKey: generic_http_auth

Verify

# Sidecar pod runs?
kubectl -n akko get pod -l app.kubernetes.io/name=akko-siem-forwarder

# Metrics port answers?
kubectl -n akko port-forward svc/akko-akko-siem-forwarder 2020 &
curl -s http://localhost:2020/api/v1/metrics | jq '.output'

# Send a synthetic event through Fluent Bit's HTTP input
kubectl -n akko exec deploy/akko-akko-siem-forwarder -- \
  curl -s -X POST http://localhost:8888 \
    -H "Content-Type: application/json" \
    -d '{"audit_type":"TEST","event":"ping","timestamp":1713542400}'

Then look for the event in each SIEM — it should appear within 10 s.

Observability

Fluent Bit exposes Prometheus metrics at /api/v1/metrics/prometheus on port 2020. Key gauges/counters:

  • fluentbit_input_bytes_total{name="http"}
  • fluentbit_output_proc_records_total{name="splunk"}
  • fluentbit_output_errors_total{name="azure"}

Troubleshooting

Symptom Cause Fix
Splunk 401 HEC token wrong or disabled curl -k -H "Authorization: Splunk <token>" $HEC_URL/services/collector/event -d '{"event":"ping"}'
Sentinel 403 Shared key expired Rotate in Azure Portal → Log Analytics workspace → Agents → Primary Key
Elastic 401 API key revoked POST /_security/api_key with AKKO index permissions
No records flowing VLOGS_URL unreachable kubectl exec ... -- curl -s $VLOGS_URL | head
Backpressure alerts SIEM ingest quota exceeded Temporarily throttle by raising pollIntervalSeconds