Stream verdicts to your SIEM
Three streams. Three retention windows. One contract.
Trinitite emits three independent log streams — ops, security, and audit — each with its own schema and its own recommended retention. Most teams send all three to the same SIEM but partition by index. See Observability for the full schema.
| Stream | Use | Retention |
|---|---|---|
ops | Latency, throughput, breaker state, RAG telemetry | 90 days |
security | Block events, anomaly alerts, MFA failures | 13 months |
audit | Glass Box Ledger receipts, config-audit events | 7 years |
Splunk (HTTP Event Collector)
# Configure Trinitite to fan out to Splunk HEC
curl https://api.trinitite.ai/v1/observability/sinks \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "splunk_hec",
"endpoint": "https://splunk.example.com:8088/services/collector",
"token_secret_ref": "secret_splunk_hec",
"streams": ["ops", "security", "audit"],
"sourcetype_template": "trinitite:{{stream}}"
}'
Sample Splunk search:
index=main sourcetype="trinitite:security" outcome=blocked
| stats count by guardian, reason
Datadog (Logs API)
curl https://api.trinitite.ai/v1/observability/sinks \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "datadog_logs",
"site": "datadoghq.com",
"api_key_secret_ref": "secret_datadog",
"streams": ["ops", "security"],
"service_template": "trinitite-{{stream}}"
}'
Sample Datadog query:
service:trinitite-security @outcome:blocked
CloudWatch Logs
curl https://api.trinitite.ai/v1/observability/sinks \
-H "Authorization: Bearer $TRINITITE_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "cloudwatch_logs",
"region": "us-east-1",
"log_group_template": "/trinitite/{{stream}}",
"iam_role_arn": "arn:aws:iam::123456789012:role/TrinititeShipper"
}'
CloudWatch Insights:
fields @timestamp, guardian, outcome, ledger_id
| filter outcome = "blocked"
| sort @timestamp desc
| limit 100
Verifying continuity
The audit stream is hash-chained. Run the public verifier on a downloaded chunk to prove no events were dropped or modified between Trinitite and your SIEM:
curl https://api.trinitite.ai/v1/public-verify/anchor?since=2026-04-01 \
-H "Authorization: Bearer $TRINITITE_API_KEY"
See Public Verification endpoint.
What's next
→ Observability — three-stream architecture in detail.
→ Trust Center — retention, key custody, secure-by-default posture.