SIEM (Any Provider)
If your SIEM platform is not among our natively supported options, use our Generic SIEM Connector, listed as the SIEM (Any Provider) Connector in our SIEM integration catalog. It integrates with any SIEM system or logging server that can receive data in JSON format over HTTP, whether cloud-based or on premises.
The connector sends event and log data as JSON over HTTP, so the SIEM or log collector receives it in a format ready for detection, correlation, and incident response.
Getting Started with SIEM (Any Provider) Integration
To forward logs through the SIEM (Any Provider) generic connector, first configure your chosen SIEM platform or log collector to accept HTTP data ingestion in JSON format.
Enable HTTP data ingestion and generate an API token or other authentication credentials. Note the data ingestion URL or endpoint URL and the generated token. You will need both to configure the integration in Files.com.
Configuring Files.com to Integrate with your SIEM Provider
When setting up the SIEM (Any Provider) connector in Files.com, enter a name for the integration to help keep it organized. Then provide the Destination URL, which is the data ingestion URL or endpoint URI from your SIEM or log collector's configuration. For authentication, include the token either directly in the Destination URL (if your SIEM provider accepts that format) or as an additional HTTP header.
Generic Payload Type
The SIEM (Any Provider) integration sends log records in batches of up to 100 entries. Each entry is a JSON object. All JSON objects of the same log type share a consistent set of key-value pairs, which keeps parsing on the SIEM or log collector predictable.
When configuring the integration and selecting the Generic Payload Type in the form, you have two options for payload formats: Newline and Array. These formats determine how multiple JSON objects are combined into a single payload. Pick the format your SIEM system requires.
The Newline format places each JSON object on a separate line, separated by a newline character. The Array format uses standard JSON array syntax, starting with [, listing each JSON object separated by a comma ,, and ending with ].
Example of Newline:
{ "key" : "value" }
{ "key" : "another value" }
Example of Array:
[{ "key" : "value" }, { "key" : "another value" }]
Additional Headers
Passing additional HTTP headers is optional. They are useful for authentication tokens, content types, custom behaviors, security headers, or request tracing.
If extra headers are needed for your SIEM setup, configure them by specifying the Header Name and Header Value in the respective Key and Value fields.
Choosing Log Types to Forward to your SIEM Platform
When configuring the SIEM integration with Files.com, you can select which types of logs are forwarded to your specific instances. By default, all log types are enabled, but you can customize the log types collected for different instances as needed. See the Log Types section for the available options.
Troubleshooting
If you run into issues sending logs to your SIEM platform, first verify that your endpoint URL and token are correctly configured in Files.com. Confirm that the endpoint URL is accurate and that the token matches the one provided by your SIEM instance setup.
Check for network connectivity issues or firewall rules that may be blocking the data transfer. For additional insight, review any SIEM-related logs under External Logs by selecting SIEM as the Event Type. These logs often surface issues with the log forwarding process. If the problem persists, refer to your SIEM platform's documentation.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes