SailPoint SIEM Integration Real time logs

Hello everyone,

We have a requirement from one of our customers to integrate SailPoint IdentityIQ with a SIEM solution, but with a key constraint:
they need near real-time log streaming, not the OOTB SIEM plugin.

We reviewed the official SIEM plugin here:
https://developer.sailpoint.com/discuss/t/sailpoint-siem-plugin/14268
but it seems more focused on exposing events via APIs rather than pushing logs in real time.

Current Approach

We are considering using log4j2 configuration to send logs directly to the SIEM collector (e.g., via Syslog or external appender), instead of relying on file-based scraping.

However, we want to:

• Avoid sending all logs (performance concern)

• Send only specific events (e.g., authentication success/failure, provisioning, audit events)

• Keep it near real-time

Questions

1. Has anyone implemented real-time SIEM integration using log4j2 appenders in IdentityIQ?

2. What is the best approach to:

   • Filter only required logs (by package/class or log level)?

   • Separate audit/security logs from application logs?

3. Is it better to:

   • Customize loggers in log4j2.properties (e.g., dedicated appenders per event type), or

   • Use another mechanism (e.g., custom rule logging, syslog forwarders, or external agents)?

You can create a plugin and expose the syslogs and audit logs endpoints, and ask the team to hit those endpoints to get near real-time log data. You can use filtering as well."

This is already covered by the SailPoint OOTB plugin; however, the requirement here is for real-time forwarding—meaning the event should be sent to the SIEM collector immediately as it occurs.

No It is not covered by the OOTb plugin, you can’t expose audit logs and syslogs with your OOTB plugin, you will have to create the plugin two expose these , so that it can be invoked to get the audit and syslog data from Sailpoint.