Splunk

Setup Splunk to receive audit logs from Lenses.

Set up 

1. Visit Admin → Connections and click New connection

Lenses.io Connection

2. Select Splunk

Splunk Connection

3. Provide a name and configuration

Lenses integrates with Splunk’s HTTP Event Collector API.

You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create a HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.

Splunk Connection

Add channel 

Next add one or multiple target Splunk channels.

1. Visit Admin → (Audits) Channels and click Splunk

Splunk audit channel

2. Setup the configuration options

Splunk audit details

For example the above will create the Splunk Audit channel, that will use the Splunk connection to create events in Splunk for all Lenses audits, with a Splunk event source value of lenses-audits.

An example 

If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.

Splunk Webhook 

Setup alerts from Lenses.io to Splunk via a Webhook to send to a Splunk HTTP Event Collector (HEC) connection.

Set up 

1. Visit Admin → Connections and click New connection

Lenses.io Connection

2. Select Webhook (Note: Use webhook for alerts, and for SIEM - audit events the native Splunk connection)

Webhook Connection

3. Provide a name and configuration

Provide a name for the Connection, such as SplunkWebhook

Enter the DNS or IP of your Splunk instance configured with a configured HTTP Event Collector listener. This should be without a path (ie. not including /services/collector for example)

Enter the port of the HTTP Event Collector (Splunk default: 8088).

Enable SSL if necessary.

Credentials are not required at this stage. The HTTP Event Collector Token will be provided in next step.

Webhook Splunk Connection

Add channel 

Next add one or multiple target Splunk webhook channels.

1. Visit Admin → Channels and click Webhook

2. Setup the configuration options

Splunk Webhook details

For example the above will create the Kafka DevOps channel, that is using the Webhook connection.

The Splunk Connection created in the previous step is selected as the Connection.

Enter a header declaring the Splunk HEC Token. The format must be:

Authorization: Splunk <<HEC TOKEN>>

For the Request path, enter the exact value:

/services/collector

The body payload must include a valid JSON object for Splunk to accept.

The alert payload must be held in an event object within the JSON. Such as:

{
 "event": {
   "category": "{{CATEGORY}}",
   "level": "{{LEVEL}}",
   "id": "{{ID}}"
 }
}

See webhooks section for full details about available variables.

The event will appear like the following in Splunk:

Apache Kafka alert in Splunk from Lenses.io details

Test sending an alert before saving via a cURL command

curl -v -k PROTOCOL://YOUR_ SPLUNK_HOST:8088/services/collector -H "Authorization: Splunk YOUR_TOKEN" -d '{ "event": { "category": "{{CATEGORY}}", "level": "{{LEVEL}}", "id": "{{ID}}" } }'

An example 

If for example you create a rule to send Apache Kafka Broker monitoring notifications to Splunk, the moment a Broker goes offline, an HTTP POST will be sent to Splunk via the Splunk HTTP Event Collector. This can then be also be analysed in Splunk ITSI.