Helm Chart

Install the Spyderbat Event Forwarder on Kubernetes using the Helm chart.

Before installing the Event Forwarder, enable SIEM forwarding on at least one saved query in the console. Without this step, the forwarder polls the API and receives nothing. See SIEM Forwarding.

The Helm chart deploys the Event Forwarder with persistent storage, so it resumes where it left off after restarts or pod rescheduling.

Run only one Event Forwarder instance per organization. Multiple instances each receive the full event stream independently and will cause duplicate events in your SIEM.

Prerequisites

A Kubernetes cluster with Helm installed
Spyderbat Nano Agents deployed on the hosts you want to monitor
Your org UID and a Spyderbat API key (see API Key Setup)
SIEM forwarding enabled on at least one saved query (see SIEM Forwarding)

Install

Clone the event-forwarder repository and install the chart:

git clone https://github.com/spyderbat/event-forwarder.git
cd event-forwarder/helm-chart/event-forwarder
helm install <release-name> . \
  --namespace spyderbat \
  --set spyderbat.spyderbat_org_uid=YOUR-ORG-UID \
  --set spyderbat.spyderbat_secret_api_key=YOUR-API-KEY \
  --create-namespace

Helm values

Value

Description

Default

Required

spyderbat.spyderbat_org_uid

Your organization UID

—

Yes

spyderbat.spyderbat_secret_api_key

Your Spyderbat API key

—

Yes

spyderbat.api_host

API host override for non-US regions

api.prod.spyderbat.com

namespace

Kubernetes namespace

spyderbat

Verify the installation

Check the pod logs to confirm the forwarder started and is receiving events:

kubectl logs -f statefulset.apps/sb-forwarder-event-forwarder -n spyderbat

The StatefulSet name above assumes you used sb-forwarder as the Helm release name (the <release-name> argument in the helm install command). If you used a different release name, replace sb-forwarder with your actual release name — for example, statefulset.apps/my-release-event-forwarder.

The forwarder logs status as JSON. Look for lines where the "message" field reports new record counts:

{"schema":"event_forwarder:meta:1.0.0","message":"5 new records (0 invalid, 5 logged)",...}

For detailed verification steps and troubleshooting, see Event Forwarder validation.

SIEM Forwarding — control plane setup
Spyderbat Event Forwarder — architecture overview
SIEM Forwarding Quickstart — end-to-end setup guide

Last updated 13 days ago

Was this helpful?

hashtagPrerequisites

hashtagInstall

hashtagHelm values

hashtagVerify the installation

hashtagRelated pages

Prerequisites

Install

Helm values

Verify the installation

Related pages