# Helm Chart

{% hint style="warning" %}
Before installing the Event Forwarder, enable SIEM forwarding on at least one saved query in the console. Without this step, the forwarder polls the API and receives nothing. See [SIEM Forwarding](https://docs.spyderbat.com/concepts/integrations/siem-forwarding).
{% endhint %}

The Helm chart deploys the Event Forwarder with persistent storage, so it resumes where it left off after restarts or pod rescheduling.

{% hint style="warning" %}
Run only one Event Forwarder instance per organization. Multiple instances each receive the full event stream independently and will cause duplicate events in your SIEM.
{% endhint %}

## Prerequisites

* A Kubernetes cluster with Helm installed
* Spyderbat Nano Agents deployed on the hosts you want to monitor
* Your org UID and a Spyderbat API key (see [API Key Setup](https://docs.spyderbat.com/tutorials/integrations/how-to-set-up-your-spyderbat-api-key-and-use-the-spyderbat-api))
* SIEM forwarding enabled on at least one saved query (see [SIEM Forwarding](https://docs.spyderbat.com/concepts/integrations/siem-forwarding))

## Install

Clone the event-forwarder repository and install the chart:

```bash
git clone https://github.com/spyderbat/event-forwarder.git
cd event-forwarder/helm-chart/event-forwarder
helm install <release-name> . \
  --namespace spyderbat \
  --set spyderbat.spyderbat_org_uid=YOUR-ORG-UID \
  --set spyderbat.spyderbat_secret_api_key=YOUR-API-KEY \
  --create-namespace
```

### Helm values

| Value                                | Description                          | Default                  | Required |
| ------------------------------------ | ------------------------------------ | ------------------------ | -------- |
| `spyderbat.spyderbat_org_uid`        | Your organization UID                | —                        | Yes      |
| `spyderbat.spyderbat_secret_api_key` | Your Spyderbat API key               | —                        | Yes      |
| `spyderbat.api_host`                 | API host override for non-US regions | `api.prod.spyderbat.com` | No       |
| `namespace`                          | Kubernetes namespace                 | `spyderbat`              | No       |

## Verify the installation

Check the pod logs to confirm the forwarder started and is receiving events:

```bash
kubectl logs -f statefulset.apps/sb-forwarder-event-forwarder -n spyderbat
```

{% hint style="info" %}
The StatefulSet name above assumes you used `sb-forwarder` as the Helm release name (the `<release-name>` argument in the `helm install` command). If you used a different release name, replace `sb-forwarder` with your actual release name — for example, `statefulset.apps/my-release-event-forwarder`.
{% endhint %}

The forwarder logs status as JSON. Look for lines where the `"message"` field reports new record counts:

```
{"schema":"event_forwarder:meta:1.0.0","message":"5 new records (0 invalid, 5 logged)",...}
```

For detailed verification steps and troubleshooting, see [Event Forwarder validation](https://docs.spyderbat.com/concepts/integrations/spyderbat-event-forwarder#event-forwarder-validation).

## Related pages

* [SIEM Forwarding](https://docs.spyderbat.com/concepts/integrations/siem-forwarding) — control plane setup
* [Spyderbat Event Forwarder](https://docs.spyderbat.com/concepts/integrations/spyderbat-event-forwarder) — architecture overview
* [SIEM Forwarding Quickstart](https://docs.spyderbat.com/tutorials/integrations/siem-forwarding-quickstart) — end-to-end setup guide