View the latest documentation 5.5
Setup Splunk to receive audit logs from Lenses.
1. Visit Admin → Connections and click New connection
2. Select Splunk
3. Provide a name and configuration
Lenses integrates with Splunk’s HTTP Event Collector API.
You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create a HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.
Next add one or multiple target Splunk channels.
1. Visit Admin → (Audits) Channels and click Splunk
2. Setup the configuration options
For example the above will create the Splunk Audit channel, that will use the Splunk connection to create events in Splunk for all Lenses audits, with a Splunk event source value of lenses-audits.
Splunk Audit
lenses-audits
If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.
Setup alerts from Lenses.io to Splunk via a Webhook to send to a Splunk HTTP Event Collector (HEC) connection.
2. Select Webhook (Note: Use webhook for alerts, and for SIEM - audit events the native Splunk connection)
Provide a name for the Connection, such as SplunkWebhook
SplunkWebhook
Enter the DNS or IP of your Splunk instance configured with a configured HTTP Event Collector listener. This should be without a path (ie. not including /services/collector for example)
/services/collector
Enter the port of the HTTP Event Collector (Splunk default: 8088).
8088
Enable SSL if necessary.
Credentials are not required at this stage. The HTTP Event Collector Token will be provided in next step.
Next add one or multiple target Splunk webhook channels.
1. Visit Admin → Channels and click Webhook
For example the above will create the Kafka DevOps channel, that is using the Webhook connection.
Kafka DevOps
The Splunk Connection created in the previous step is selected as the Connection.
Enter a header declaring the Splunk HEC Token. The format must be:
Authorization: Splunk <<HEC TOKEN>>
For the Request path, enter the exact value:
The body payload must include a valid JSON object for Splunk to accept.
The alert payload must be held in an event object within the JSON. Such as:
event
{ "event": { "category": "{{CATEGORY}}", "level": "{{LEVEL}}", "id": "{{ID}}" } }
See webhooks section for full details about available variables.
The event will appear like the following in Splunk:
Test sending an alert before saving via a cURL command
curl -v -k PROTOCOL://YOUR_ SPLUNK_HOST:8088/services/collector -H "Authorization: Splunk YOUR_TOKEN" -d '{ "event": { "category": "{{CATEGORY}}", "level": "{{LEVEL}}", "id": "{{ID}}" } }'
If for example you create a rule to send Apache Kafka Broker monitoring notifications to Splunk, the moment a Broker goes offline, an HTTP POST will be sent to Splunk via the Splunk HTTP Event Collector. This can then be also be analysed in Splunk ITSI.
HTTP POST
On this page