Customize integration with RuSIEM SIEM system

Last update: June 04 2026

1. If you do not have RuSIEM installed, install it.
2. Optional: configure ports for receiving audit logs in RuSIEM.
3. Create a service user.
4. Obtain an IAM token for your account.
5. Obtain a script for exporting audit logs.
6. Configure and run the script.
7. Configure receiving audit logs in RuSIEM.

1. Install RuSIEM

1. Open the CLI.

2. Install RuSIEM:

   wget https://files.rusiem.tech/nextcloud/s/j6wcHzzaqT8w5wc/download -O install.sh; bash ./install.sh

3. In the interactive menu, specify the system parameters. For more details, see the RuSIEM documentation.

2. Optional: change the port for receiving audit logs in RuSIEM

1. Log in to the RuSIEM web interface.
2. Go to Settings → Microservice Configuration.
3. Select the Expert Mode checkbox.
4. Click .
5. Change the port number in the syslog configuration.
6. Click Save.

3. Create a service user

Add a service user with the role audit_logs.admin.

Users can be added by the Account Owner or users with the role iam.admin.

4. Obtain an IAM token for your account

Obtain an IAM token for your account for the service user you created at step 3.

5. Obtain a script for exporting audit logs

We have prepared a script for exporting audit logs—it allows you to export logs to a file, as well as send them to a specified IP address or endpoint via the syslog or HTTP/HTTPS protocol.

1. Open the CLI.

2. Clone the script repository:

   git clone https://github.com/t-rex-general/auditlog-integration.git

   The script files will be saved in the working directory to the auditlog-integration folder.

6. Configure and run the script

1. Open the CLI.

2. Create a virtual environment:

   python3 -m venv .venv

3. Activate the virtual environment:

   source .venv/bin/activate

4. Go to the script folder:

   cd auditlog-integration

5. Install the necessary dependencies:

   pip3 install -r requirements.txt

6. Create a configuration file .env:

   touch .env

7. Open the configuration file .env:

   nano .env

8. Fill out the configuration file .env:

   8.1. Add a block with authentication parameters for the Audit Logs service API:

   AUDIT_LOGS_URL=<base_url>/v1/logs
   USERNAME=<username>
   PASSWORD=<password>
   ACCOUNT_ID=<account_id>

   Specify:

   • <base_url> — URL for accessing the Audit Logs API in the required pool. A list of URLs can be found in the URL list;
   • <username> — the name of the service user you created at step 3;
   • <password> — service user password. If the password contains any of these characters: [ ] \ ^ $. |? * + (), escape them by placing a backslash \;
   • <account_id> — account ID, can be found in the Control panel in the top right corner.

   8.2. Add a block with event submission parameters:

   TRANSPORT_TYPE=syslog
   SYSLOG_ENABLED=true
   SYSLOG_HOST=<syslog_host>
   SYSLOG_PORT=<syslog_port>

   Specify:

   • <syslog_host> — IP address of the SIEM system;
   • <syslog_port> — port of the SIEM system.

   8.3. Add a line with the API request interval:

   POLL_INTERVAL=<poll_interval>

   Specify <poll_interval> — API request interval in seconds (default is 30).

   8.4. Exit the file and save changes; for this, sequentially press Ctrl+X → Y → Enter.

9. Run the script:

   python3 main.py

7. Configure receiving audit logs in RuSIEM

1. In the RuSIEM web interface, go to Events → All Events.
2. On the top panel, click Settings.
3. Select the Search unparsed events checkbox.
4. Click Save.
5. In the Filter settings field, enter your Selectel account ID and click . The account ID can be found in the Control panel in the top right corner. Events from the Audit Logs service will be displayed in the RuSIEM web interface.