Configuring Log Streaming


SGNL can stream events to leading SIEM and storage providers while still making logs available within the SGNL Console and APIs. SGNL logs are formatted as individual JSON entries with a well-defined schema. An example access decision log entry takes the form of:

   "accessDecision": "Allow",
   "action": "access",
   "assetId": "aws::arn:1111",
   "clientId": "a5c5f108-1111-4b9a-2222-ed9787e3ce6b",
   "eventType": "sgnl.accessSvc.decision",
   "integrationDisplayName": "AWS",
   "integrationId": "a5c5f108-3333-4b9a-4444-ed9787e3ce6b",
   "level": "info",
   "msg": "Access search service decision",
   "principalId": "",
   "requestId": "a5c5f108-5555-4b9a-6666-ed9787e3ce6b",
   "tenantId": "a5c5f108-7777-4b9a-8888-ed9787e3ce6b",
   "timeAtEvaluation": "2024-06-28T20:05:03Z",
   "time_now": "2024-06-28T20:05:03.289737017Z",
   "ts": "2024-06-28T20:05:03Z"

To get started with Log Streaming, simply head over to the Admin section of the SGNL Console and start adding integrations.

Available Log Streaming Integrations


SGNL uses Splunk HEC to stream logs. To get started, log into SGNL and into your Splunk console.

In Splunk:

  1. Choose to Add Data from the Splunk Launcher
  2. Choose Monitor to add log data from an HTTP endpoint
  3. Choose the HTTP Event Collector method for receiving data, and give the collector a descriptive name, such as your SGNL and your clientName
  4. On the next page, choose the Automatic source type and select which indices you’d like SGNL log data to flow into
  5. On the final page, review your settings and ensure you copy your token – you’ll need this to configure SGNL in a moment


  1. Login to the Console and choose Admin -> Add Log Stream
  2. Give the Log Stream a name and optionally a description
  3. Enter your Domain, e.g.
  4. Enter your port number, this is 8088 by default
  5. Paste the token that you copied from Splunk and save the configuration

The next set of events that are generated will start to stream logs to Splunk – you should start to see them showing up in Splunk Search. You can trigger logs by making access evaluation requests, configuring and synchronizing a System of Record, or creating triggers, rules, and actions inside of the CAEP Hub