Skip to main content

SIEM / ELK Tutorial

SmartSezam integrates seamlessly with your existing logging infrastructure — especially SIEM platforms such as the ELK stack (Elasticsearch, Logstash, Kibana).

A lightweight SmartSezam agent processes relevant events in real time and outputs structured security signals to a log file or, optionally, to a SIEM endpoint.

You don't need to modify existing dashboards or pipelines — our approach prioritizes compatibility and simplicity.

Although this guide focuses on ELK, SmartSezam supports other SIEM platforms as well.
If you're using a different setup, feel free to contact us — we'll help tailor the integration.

While SmartSezam can also stream data directly to Elasticsearch or Logstash, this guide focuses on the most universal method: generating a structured .log file locally.
This format can be ingested by nearly all SIEM platforms that support file-based log inputs.

I – Technical Prerequisites

Before getting started, ensure the following:

  • You have a SIEM or log ingestion system capable of reading local log files
    (e.g., ELK stack, Splunk, Graylog, or any platform that supports .log file input)
  • You can configure your SIEM to monitor a file or directory for new entries
  • The following variables are available :
    • $instanceDomainName — The full domain of your SmartSezam instance
    • $apiKey — Your SmartSezam API key

(Optional) : Events can also be routed to your SIEM using HTTPS or Syslog if needed.

II – Installation and Configuration

1. Install the SmartSezam SIEM Agent

The agent is provided by SmartSezam.
Choose the version that matches your system and deployment context.

2. Configure the Agent

In your configuration file, set the following parameters :

  • The path to the output log file
  • Your SmartSezam domain name ($instanceDomainName)
  • Your API key ($apiKey)

Configuration is usually done via a .conf file depending on the deployment mode.

3. Start the Agent

Once configured, start the agent. It will process security signals and continuously append structured events to the specified log file.

III – Testing and Validation

  • In managed setups, SmartSezam will perform integration testing.

  • In self-managed environments :

    1. Trigger a test security event (e.g., a policy violation, a simulated anomaly, a failed login, ... ).
    2. Check the log file generated by the agent and confirm that the event has been correctly written.
    3. Your SIEM system should then pick up the file and process it according to your ingestion rules.

If no event appears:

  • Ensure the agent is running and has write access to the log path
  • Check the configuration (domain name and API key)
  • Use diagnostic logs to troubleshoot issues
  • Confirm that your SIEM is watching the correct file or directory