✓ Validated against Splunk Cloud and Datadog

SIEM Integration

MCP Orchestrator emits OCSF-aligned audit events designed for SIEM ingestion. Forward them to Splunk, Elastic, Datadog, or Chronicle using the integration pattern that fits your existing observability stack.

Validated end-to-end with Splunk Cloud and Datadog. OCSF fields auto-extract in both. Same schema parses cleanly into any OCSF-compliant SIEM.

The audit event schema

MCP Orchestrator emits events conforming to the Open Cybersecurity Schema Framework — the cross-vendor standard adopted by AWS, Splunk, Sumo Logic, IBM QRadar, and others. Your SIEM almost certainly already understands it.

Events split into two planes — admin (orchestrator REST actions) and caller (per-tool authorization decisions on MCP traffic) — sharing the same OCSF base for unified ingestion. Full schema and integration pack are part of design-partner onboarding.

Why MCP Orchestrator doesn't push directly to your SIEM

Enterprises run a uniform forwarder layer across all applications — Splunk Universal Forwarder, Fluent Bit, OpenTelemetry Collector. Embedding a SIEM client in the orchestrator would bypass that. MCP Orchestrator emits structured audit events; your existing forwarder picks them up like any other application's.

Integration patterns

Pick the SIEM you're already running.

Pattern A — Splunk DB Connect (recommended for Splunk shops)

Setup: ~30 minutes Latency: 1–5 min batches Best for: existing Splunk customers

DB Connect queries MCP Orchestrator's audit table directly and ingests rows on a schedule. Highest fidelity — full OCSF column semantics preserved end-to-end. Recommended approach when SIEM teams already operate Splunk DB Connect for other applications.

  1. Install Splunk DB Connect on a search head (Splunk Cloud or Enterprise)
  2. Add a Postgres identity using a read-only database user we provision
  3. Create a Database Input using the rising-column query template we ship with the integration pack
  4. Set sourcetype to mcp:audit:ocsf and target an index of your choice (we recommend a dedicated index like mcp_audit)

The exact query template, column reference, and indexed-extraction config are part of the design-partner onboarding.

Pattern B — Universal Forwarder + Fluent Bit DaemonSet

Setup: ~1 hour Latency: real-time Best for: Kubernetes-native observability

Fluent Bit runs as a DaemonSet, tails the orchestrator's structured-JSON stdout (which mirrors the audit_events table), and forwards to a Splunk Universal Forwarder Service. The forwarder ships to your Splunk Cloud HEC endpoint.

fluent-bit.conf

[INPUT]
    Name              tail
    Path              /var/log/containers/mcp-orchestratord-*.log
    Parser            json
    Tag               mcp.audit

[FILTER]
    Name              grep
    Match             mcp.audit
    Regex             event_kind audit

[OUTPUT]
    Name              splunk
    Match             mcp.audit
    Host              splunk-uf.splunk.svc.cluster.local
    Port              8088
    Splunk_Token      ${HEC_TOKEN}
    Splunk_Send_Raw   On

Pattern C — Direct HEC push from MCP Orchestrator (planned for v1.7)

Setup: ~5 minutes (when shipped) Latency: real-time Best for: simple deploys without existing forwarder infra

Native HEC client baked into the orchestrator. Configure with siem.provider: splunk and siem.splunk.hecUrl + a token Secret. Roadmapped for v1.7 — design partners can have it earlier.

Datadog Agent with OCSF source

Setup: ~30 minutes Latency: real-time Best for: Datadog observability customers

The Datadog Agent runs as a DaemonSet, autodiscovers the orchestrator pod, parses JSON logs, and ships to Datadog Logs. Tag with service:mcp-orchestrator and source:ocsf for proper Datadog Cloud SIEM rule application. Validated end-to-end — every OCSF field auto-extracts as a structured attribute in Datadog Logs Explorer.

Filebeat with an OCSF ingest pipeline

Setup: ~45 minutes Latency: real-time Best for: Elastic Stack customers

Filebeat tails orchestrator container logs, applies an Elastic Common Schema (ECS) ingest pipeline that maps OCSF fields onto their ECS equivalents (most map 1-to-1 since both standards converged on similar primitives), and ships to your Elasticsearch cluster. Full ingest pipeline configuration available on request.

Chronicle Forwarder with OCSF parser

Setup: ~1 hour Latency: real-time Best for: Google Cloud security teams

Chronicle's recent OCSF-native parsers consume MCP Orchestrator events directly without custom mapping. Configure the Chronicle Forwarder with the OCSF_API_ACTIVITY log type and point it at the orchestrator's audit log stream or Postgres replica.

Common questions

Does MCP Orchestrator support syslog for older SIEMs?

Not natively. QRadar, ArcSight, or LogRhythm shops use a Fluent Bit or Vector intermediary to emit RFC 5424 syslog from the OCSF JSON.

What event volume should I expect?

Admin-plane: 10–50 events per operator per day. Caller-plane scales with MCP traffic — roughly one event per tool invocation. A 10-server cluster handling 1k tool calls/day produces ~1k caller events.

Need help wiring up your SIEM?

Send us your stack — we'll send back a tested integration config.

Schedule a Demo → View on GitHub →