Skip to main content

Event Exporters

MandateZ’s event stream is the spine. Exporters fan every signed AgentEvent out to your existing observability or SIEM stack so security, compliance, and SRE teams see the same signal in the tools they already use.

How Exporters Work

Every exporter implements one interface:
Pass one or more exporters to MandateZClient:
After every client.track() call, MandateZ signs and stores the event in the canonical stream and fans it out to every configured exporter in parallel. Exporters are fire-and-forget — a failing exporter logs a warning but never blocks or throws from track(). This is by design: agents must not stall waiting on a downstream log sink.

Datadog Exporter

Ships each event to the Datadog Logs v2 HTTP intake with MandateZ-specific tags pre-applied.
What shows up in Datadog:
  • ddsource = mandatez-sdk
  • Status: error for blocked, warn for flagged, info otherwise
  • Tags: agent_id, owner_id, outcome, action_type + your extras
  • Full event body nested under mandatez.* so you can facet on @mandatez.resource, @mandatez.policy_id, etc.

Splunk Exporter

Posts each event to Splunk HTTP Event Collector (HEC).
The Authorization: Splunk <token> header is set automatically. Each event is wrapped with a Splunk event envelope (time, host, source, sourcetype, index, event) — the inner event object carries the full signed AgentEvent.

OpenTelemetry Exporter

Formats each event as an OTLP/HTTP span and ships it to any OpenTelemetry collector (Grafana Tempo, Honeycomb, New Relic, Jaeger, AWS ADOT, etc.).
Each event becomes a zero-duration span named mandatez.<action_type> with the full event serialized as span attributes. Status maps to OTel semantics: No @opentelemetry/* dependency is pulled into the SDK — the exporter emits the wire-level OTLP/HTTP JSON directly, keeping your bundle lean.

Webhook Exporter

Generic POST of the signed event to any HTTPS URL. Useful when your SIEM or internal log pipeline doesn’t have a first-class exporter yet.
The payload is the full AgentEvent shape, unmodified. Never rename fields on the receiving side — this is the canonical cross-vendor envelope.

Writing a Custom Exporter

Any object matching EventExporter drops into the exporters: [...] array.

Guarantees

  • Fan-out is parallel — one slow exporter cannot delay another.
  • Fan-out is fire-and-forgettrack() never awaits exporter completion, and a thrown exporter error is caught and logged as a warning.
  • No duplication — the MandateZ stream remains the source of truth. Exporters are cache invalidation, not persistence.
  • Every event is signed before export — downstream systems receive a tamper-evident envelope with the agent’s public key inline for verification.

Get Started

Stand up MandateZ and wire your first exporter in under five minutes.