OpenZiti · Zero Trust · SIEM

Audit visibility for your
zero trust network

Nexlog-Ziti bridges OpenZiti and your SIEM. Collect every audit event, normalise to JSON or CEF, and forward to Elastic, Splunk, Wazuh — or any syslog pipeline.

Get started → Read the docs

terminal
$ pip install nexlog
$ cp nexlog.example.json nexlog.json
$ nexlog start -c nexlog.json
# streaming audit events…
{"event_type":"AuthFail","severity":8,"source_ip":"…"}

How it works

Three steps, one pipeline

From your Ziti controller to your SIEM in minutes.

Ziti Controller

Management API

→

Nexlog-Ziti

collect · parse · forward

→

Your SIEM

Elastic / Splunk / Wazuh

Features

Everything you need

Continuous polling

Polls the Ziti Management API every 5s. Auto re-authenticates on session expiry.

JSON + CEF output

Normalised structured events. CEF works with Splunk, ArcSight, QRadar out of the box.

18 event types

Auth failures, identity changes, posture checks, sessions, enrollments — all covered.

Flexible outputs

stdout, file, syslog in community. Elastic, Splunk HEC, Sentinel in Enterprise.

Event types

Full audit coverage

Every event carries a severity score from 1–10.

sev 8AuthFail

sev 8PostureCheckFail

sev 7IdentityDelete

sev 5EdgeRouterDelete

sev 5ServiceDelete

sev 3IdentityCreate

sev 2AuthSuccess

sev 2SessionCreate

Outputs

Works with your stack

stdoutfree

filefree

syslogfree

Elasticenterprise

Splunk HECenterprise

Sentinelenterprise

Audit visibility for yourzero trust network

Nexlog-Ziti Enterprise

Audit visibility for your
zero trust network