Skip to content

Export the audit log to a SIEM

Three paths, in order of how much engineering you want to do.

1 — One-shot CSV / JSON download

For a manual audit or compliance review.

bash
curl -H "Authorization: Bearer $KILASEC_TOKEN" \
  "https://kilasec.com/api/audit/export?format=csv&window=2592000" \
  -o audit-30d.csv

window is seconds back from now. format is csv or json. No row cap on this endpoint (unlike the live /audit?limit=N).

2 — Periodic pull into your SIEM

A small cron job that grabs the last 5 minutes of audit and forwards to Splunk / Datadog / etc.:

bash
*/5 * * * * curl -fsS -H "Authorization: Bearer $TOKEN" \
  "https://kilasec.com/api/audit/export?format=json&window=300" \
  | hec-forwarder

Watermark on event.id (unique) to dedupe across overlapping windows.

3 — Live stream via SSE

For real-time SIEM correlation. The same SSE feed the SPA uses:

bash
curl -N -H "Authorization: Bearer $TOKEN" \
  https://kilasec.com/api/events \
  | jq -c .  # each `data:` line is one decision JSON

Caddy doesn't buffer the SSE stream (flush_interval -1), so the lag from event-occurred → SIEM-receives is sub-second.

→ See API reference and Audit & stats endpoints for the full event shape.

Documentation for kilasec — the AI Agent Firewall.