Log Export / SIEM

Every proxied request emits a structured access record. Beyond stdout JSON, three independent sinks can run in any combination — all disabled by default. Each record carries: timestamp, request_id, client_ip, method, path, status_code, duration_ms, cache_status, upstream_domain, response_size. Sink health is reported at GET /_logs/status.

Webhook — Splunk HEC, Elastic, Datadog

Batches records and POSTs them as JSON, with a circuit breaker that trips on repeated failures.

LOG_EXPORT_WEBHOOK_ENABLED=true
LOG_EXPORT_WEBHOOK_URL=https://siem.example.com/services/collector
LOG_EXPORT_WEBHOOK_TOKEN=<hec-token>
LOG_EXPORT_WEBHOOK_BATCH_SIZE=50
LOG_EXPORT_WEBHOOK_FLUSH_INTERVAL=5.0

Syslog — QRadar, ArcSight

Forwards CEF-formatted events over UDP or TCP.

LOG_EXPORT_SYSLOG_ENABLED=true
LOG_EXPORT_SYSLOG_HOST=siem.example.com
LOG_EXPORT_SYSLOG_PORT=514
LOG_EXPORT_SYSLOG_PROTOCOL=tcp

File — Fluentd, Filebeat, Promtail

Writes rotating JSON lines for collection by a log agent. (Mount a writable volume at the path; the Helm MVP chart doesn't.)

LOG_EXPORT_FILE_ENABLED=true
LOG_EXPORT_FILE_PATH=/var/log/secure-gateway/access.jsonl
LOG_EXPORT_FILE_MAX_BYTES=104857600
LOG_EXPORT_FILE_BACKUP_COUNT=10

Stdout access logging is on by default and controlled by LOG_EXPORT_STDOUT_ACCESS_ENABLED.

Record schema

{
  "timestamp": "2026-06-15T12:00:00Z",
  "request_id": "a1f3c9e2-...",
  "client_ip": "10.0.1.42",
  "method": "GET",
  "path": "/models/my-model/3",
  "status_code": 200,
  "duration_ms": 38,
  "cache_status": "HIT",
  "upstream_domain": "repo.roboflow.com",
  "response_size": 104857600
}