Skip to main content


SentinelOne platform delivers the defenses to prevent, detect, and undo—known and unknown—threats. This integration allows you to send logs from your SentinelOne applications to your SIEM account.

Before you begin, you'll need:

  • SentinelOne installed
  • Filebeat installed
  • Root access
Install the SentinelOne certificate on your Filebeat server

SentinelOne sends encrypted data, so you'll need to create a dedicated SentinelOne certificate to decrypt the logs by the Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/SentinelOne.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/SentinelOne.crt
Download the public certificate to your credentials server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous content.


Filebeat requires a file extension specified for the log input.

This code block adds SentinelOne as an input and sets as the output.

# ... Filebeat inputs
- type: tcp
max_message_size: 10MiB
host: ""
logzio_codec: json
type: sentinel_one
fields_under_root: true
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
- rename:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
- from: "log.file.path"
to: "source"
ignore_missing: true

### Outputs
hosts: ["<<LISTENER-HOST>>:5015"]
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

  • Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

  • Replace the host port with your syslog port details. The above example has host: "" but you should change it to your specifics.

One last validation - make sure is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Configure SentinelOne to send logs to Logzio

Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.

  1. Select your site.
  2. In the left side menu, click the slider icon [⊶] to open the Settings menu.
  3. Open the INTEGRATIONS tab, and fill in the details:
    1. Under Types, select SYSLOG.
    2. Toggle the button to enable SYSLOG.
    3. Host - Enter your public SYSLOG server IP address and port.
    4. Formatting - Select CEF2.
    5. Save your changes.

SentinelOne Admin Console configuration

Configure SentinelOne to send notifications

In the same screen, open the NOTIFICATIONS tab, and fill in the details:

Under Notification Types, check all options under Syslog notifications.

We recommend enabling all notification options to send Syslog logs. Still, it is optional. Note that if you leave some Syslog notification options disabled, it may interfere with's detection rules.

SentinelOne Admin Console configuration

Check for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.