Skip to content

v0.1.4 — SIEM syslog telemetry

Choose a tag to compare

@leodavidsec leodavidsec released this 03 Jul 21:20

Reeflex v0.1.4 — SIEM syslog telemetry

The SOC cannot see AI agents today: agent actions happen inside apps, invisible to security telemetry. Reeflex now turns every agent action into a standard security event — before it executes.

reeflex-core streams every decision to a configured syslog endpoint:

  • RFC 5424 over UDP (default), TCP (RFC 6587 octet-counted), or TLS (RFC 5425)
  • payload as structured JSON (default) or CEF
  • one socket, zero vendor connectors — Splunk, QRadar, Wazuh, FortiSIEM, Graylog, Grafana Loki, Datadog and friends all consume syslog

The invariant: telemetry is fire-and-forget — a bounded in-memory queue, drop-on-overflow with a dropped-events counter, all I/O on a background daemon thread. It can never block or fail /v1/decide ("fail-closed for decisions, fail-open for telemetry"); the append-only audit JSONL stays authoritative. Verified: a dead / slow / unreachable endpoint adds zero decision latency.

Disabled by default (REEFLEX_SYSLOG_ENABLED=false); configured entirely by env. Python stdlib only — no new dependencies.

Pull

docker pull ghcr.io/reeflex-io/reeflex-core:v0.1.4

Digest: sha256:acfd9f8d91db4c756da6229b215875d3f7622aef787aedba56e0f4f5bcfc453a (also tagged latest).

Verified

  • CI green: 127 core tests (1 intentional platform skip) + 9/9 OPA policy.
  • Anonymous GHCR pull confirmed for both tags (digest match).
  • Live syslog smoke: allow / require_approval / deny received over syslog in JSON and CEF (RFC 5424 PRI 134 / 132 / 131).

Docs

docs/siem.md — quickstart, event schema, CEF mapping, and consuming guides for 11 platforms (guides only, no vendor code).

Full changelog: CHANGELOG.md. Adapters unchanged (remain at v0.1.3).