This guide provides instructions on how to:
- Integrate BI events data with Splunk Enterprise
Ensure that you have the following:
- You have a tenant configured for your organization and able to enroll users.
Splunk Enterprise configuration
- Create a HTTP Event Collector
- Configure HTTP Event Collector with SSL certificate
- Open HTTP Event Collector port
Create a HTTP Event Collector
Access your Splunk Enterprise admin console and login as a user with administrative privileges. In the dashboard, click “Settings”
In the drop-down options, click “Data inputs”, In “Data inputs” screen, click “Add new” to the right of “HTTP Event Collector”
Type in a name for the HTTP Event Collector, for example “sales-eng-splunk-enterprise-hec” and add a relevant description. Leave other fields to the default values. Click “Next”
Click “add all” next to “Available items” . This should populate “Selected item(s). In the “Default Index” drop down choose “main” and then click “Review”
Review the settings and click “Submit”
You will see “Token has been created successfully”. Copy the token value and provide it to BI SME.
You should see the newly created HTTP Event Collector
Configure HTTP Event Collector with SSL certificate
The default SSL certificate deployed with HTTP Event Collector has the Subject “CN=SplunkServerDefaultCert”. The SSL handshake requires the subject in the certificate match the host name of HTTP Event collector URL. Get an SSL certificate for example using letsencrypt with host name as the subject and the full CA certificate chain file in PEM format.
Refer to https://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Inputsconf#http:_.28HTTP_Event_Collector.29
* Set the following specifications for receiving Secure Sockets Layer (SSL)
communication underneath this stanza name.
serverCert = <path>
* The full path to the server certificate Privacy-Enhanced Mail (PEM)
* PEM is the most common text-based storage format for SSL certificate files.
* No default.
Open HTTP Event Collector port
Splunk enterprise HTTP Event collector listens on port 8088 by default . This port should be open for SSL traffic in the firewall for BI event integration to work.
Beyond Identity Configuration
The configuration is done using the BI admin console. Access BI admin console through your SSO integration. Click on “Integrations” and click on “SIEM”
Click the “+” sign next to Splunk. Type in a name, and with the data from section 3.1, fill in the values for HEC Token, HEC Host and HEC Port. From the events drop down, “select all” events or one the events you are interested in.
Verify events flowing to Splunk Enterprise
You can verify with a search in Splunk Enterprise, for example
index="main" source="http:sales-eng-splunk-enterprise-hec" "actor.tenant_id"="TENANT_CONFIGURED"
Replace source name with the ones you created and actor.tenant_id with the tenant configured.
Click on https://developer.beyondidentity.com/api/v0#tag/Events/operation/getEvents
Click on arrow next to 200
Click on body
Click on events
event_type lists all the events
Please sign in to leave a comment.