> For the complete documentation index, see [llms.txt](https://docs.spyderbat.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.spyderbat.com/installation/spyderbat-event-forwarder/helm-chart.md). # Helm Chart {% hint style="warning" %} Before installing the Event Forwarder, enable SIEM forwarding on at least one saved query in the console. Without this step, the forwarder polls the API and receives nothing. See [SIEM Forwarding](/concepts/integrations/siem-forwarding.md). {% endhint %} The Helm chart deploys the Event Forwarder with persistent storage, so it resumes where it left off after restarts or pod rescheduling. {% hint style="warning" %} Run only one Event Forwarder instance per organization. Multiple instances each receive the full event stream independently and will cause duplicate events in your SIEM. {% endhint %} ## Prerequisites * A Kubernetes cluster with Helm installed * Spyderbat Nano Agents deployed on the hosts you want to monitor * Your org UID and a Spyderbat API key (see [API Key Setup](/tutorials/integrations/how-to-set-up-your-spyderbat-api-key-and-use-the-spyderbat-api.md)) * SIEM forwarding enabled on at least one saved query (see [SIEM Forwarding](/concepts/integrations/siem-forwarding.md)) ## Install Clone the event-forwarder repository and install the chart: ```bash git clone https://github.com/spyderbat/event-forwarder.git cd event-forwarder/helm-chart/event-forwarder helm install . \ --namespace spyderbat \ --set spyderbat.spyderbat_org_uid=YOUR-ORG-UID \ --set spyderbat.spyderbat_secret_api_key=YOUR-API-KEY \ --create-namespace ``` ### Helm values | Value | Description | Default | Required | | ------------------------------------ | ------------------------------------ | ------------------------ | -------- | | `spyderbat.spyderbat_org_uid` | Your organization UID | — | Yes | | `spyderbat.spyderbat_secret_api_key` | Your Spyderbat API key | — | Yes | | `spyderbat.api_host` | API host override for non-US regions | `api.prod.spyderbat.com` | No | | `namespace` | Kubernetes namespace | `spyderbat` | No | ## Verify the installation Check the pod logs to confirm the forwarder started and is receiving events: ```bash kubectl logs -f statefulset.apps/sb-forwarder-event-forwarder -n spyderbat ``` {% hint style="info" %} The StatefulSet name above assumes you used `sb-forwarder` as the Helm release name (the `` argument in the `helm install` command). If you used a different release name, replace `sb-forwarder` with your actual release name — for example, `statefulset.apps/my-release-event-forwarder`. {% endhint %} The forwarder logs status as JSON. Look for lines where the `"message"` field reports new record counts: ``` {"schema":"event_forwarder:meta:1.0.0","message":"5 new records (0 invalid, 5 logged)",...} ``` For detailed verification steps and troubleshooting, see [Event Forwarder validation](/concepts/integrations/spyderbat-event-forwarder.md#event-forwarder-validation). ## Related pages * [SIEM Forwarding](/concepts/integrations/siem-forwarding.md) — control plane setup * [Spyderbat Event Forwarder](/concepts/integrations/spyderbat-event-forwarder.md) — architecture overview * [SIEM Forwarding Quickstart](/tutorials/integrations/siem-forwarding-quickstart.md) — end-to-end setup guide --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spyderbat.com/installation/spyderbat-event-forwarder/helm-chart.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.