PreVeil Hosted SIEM Connector Setup Guide
Please note the SIEM Connector requires a license and hosting agreement. For existing customers, contact customersuccess@preveil.com for pricing and activation. For new customers, contact sales@preveil.com.
This guide explains the steps you, the PreVeil tenant administrator, need to complete when setting up a hosted PreVeil SIEM Connector. A PreVeil support engineer will handle server provisioning, networking, and backend configuration. Your role is focused on organization setup, approvals, and SIEM service connection information.
Estimated Time to Complete: 45-60 minutes
Who should be involved?
PreVeil Admin
Designated Exporter
Data Export Group members
IT Manager
SIEM service tech support
✅ Step 1. Confirm Prerequisites
Before beginning, make sure your organization has:
A PreVeil organization (usually created during onboarding).
At least four users fully joined to the organization.
An Exporter account:
Must be an Admin.
Cannot be a member of the Data Export Group.
A Data Export Group with at least three reliable members (any role).
A SIEM service ready to receive logs.
Step | Action | Done |
|---|---|---|
1 | Confirm prerequisites | ⬜ |
✅ Step 2. Create a Data Export Group
Go to the Admin Console → Approval Groups.
http://127.0.0.1:4003/admin/approval-groupsClick ➕ Create Group.
Select at least three members of your org → click Create.
Go to the Assign tab → set the group as Data Export → click Assign.
Step | Action | Done |
|---|---|---|
2 | Create and assign the Data Export Group | ⬜ |
📌 If replacing an existing group
A yellow exclamation point appears for swap processing.
Members of the current Data Export Group will receive an approval request.
They must log in to Settings → Approvals or http://127.0.0.1:4003/settings/approvals and approve the change.
Once approved, your new group’s name will appear as Data Export in the Admin Console.
✅ Step 3. Prepare for Key Transfer (with PreVeil Support)
A Zoom session will be scheduled with PreVeil support, the Exporter, and the Data Export Group members to securely transfer keys.
For each required user (Exporter + Data Export Group):
Go to Settings → Add Device or open
http://127.0.0.1:4003/settings/add-device.PreVeil support will enable key reception on the hosted SIEM Connector.
An 8-character code will appear on the server. PreVeil Support will share it.
Enter the code → click Transfer Key.
Confirm success by checking Device Management for a Linux device.
Repeat for all required users.
📌 If Device Management is disabled in your organization:
Temporarily re-enable it or request an exception for the participating users.
Step | Action | Done |
|---|---|---|
3 | Complete key transfer with PreVeil support | ⬜ |
✅ Step 4. Connect Logs to Your SIEM
You have two choices for receiving logs:
Option A. Fastest & Easiest
Provide your SIEM log forwarder/collector agent (UNIX-based) and instructions to PreVeil support.
Enable log reception on your SIEM service.
⚠️ Recommendation: Have your SIEM service tech support agent on standby during this step in case challenges arise.
Option B. Secure TCP Forwarding with NXLog
PreVeil configures NXLog on the connector.
You provide:
Public IP address of your SIEM
Port number
SSL certificate information
⚠️ Note: This option may require setting up port forwarding rules on your firewall and may require assistance from your IT team.
Step | Action | Done |
|---|---|---|
4 | Connect logs to SIEM (Option A or B) | ⬜ |
Step | Action | Done |
|---|---|---|
5 | Verify log flow into SIEM | ⬜ |
Troubleshooting
This section covers common issues and how to resolve them.
Logs Not Appearing in SIEM
Symptoms:
No logs appear in your SIEM 15–30 minutes after setup.
Possible Causes:
Some users are offline or unreachable.
Firewall or port forwarding rules are blocking traffic (Option B).
SIEM log collector agent is misconfigured (Option A).
Key transfer was incomplete.
What to Do:
Verify all Exporter and Data Export Group members are online.
Check Device Management to confirm their Linux device appears.
If using Option A: Recheck your SIEM collector agent configuration.
If using Option B: Confirm firewall rules and port forwarding with IT.
If still failing, schedule a session with PreVeil support.
Key Transfer Failures
Symptoms:
User cannot complete the Add Device flow.
The 8-character code is rejected.
Possible Causes:
Device Management is disabled in the organization.
Network instability during transfer.
What to Do:
Confirm Device Management is enabled (or exceptions granted).
Ensure the user is correctly assigned as Exporter or Data Export Group member.
Retry the transfer on a stable network.
Firewall & Port Issues (Option B – NXLog)
Symptoms:
SIEM server is not receiving logs.
Connection attempts appear blocked.
What to Do:
Ask IT to confirm the firewall allows outbound traffic on the configured port.
Verify port forwarding rules are correctly applied.
Confirm SSL certificates are valid and properly installed.
Retest the NXLog connection.
Delays in Log Visibility
It can take 10–15 minutes for logs to appear after PreVeil restarts services.
If delays exceed 30 minutes, recheck connectivity and user availability.
Tip: Keep both your SIEM support agent and PreVeil support involved if issues arise — it speeds up resolution.
Changing the Exporter and Approvers
Changing the Exporter and Approvers is possible but requires a reset of the SIEM configuration file and the user keys on the server. This may involve recreating an approval group and does require clearing the SIEM server’s local database and redoing the key copying. For this reason, we advise to choose active and reliable users in the organization and to consider the configuration permanent.