Splunk Integration

Overview

Provides functionality to send audit logs recorded by QueryPie externally through Splunk.

Recommended Syslog-Splunk Integration Architecture

The architecture recommended by Splunk for Syslog-Splunk integration is as follows.

1. Primary collection through a separate syslog server, then transmission to Splunk
2. Transmission to Splunk through Universal forwarder / Heavy forwarder

For reference, Splunk provides SC4S (Splunk connector for syslog) separately for syslog collection.

Configuring Splunk Integration

1. Navigate to System > Integrations menu in General Settings.
2. Click on the Splunk tile to go to the detail page.
3. Click the Configure button on the detail page to display a popup where you can enter Destination information.

1. Enter the following information to create Destination information.
   1. Destination Name : Enter an appropriate name to identify the entity receiving syslog.
   2. Protocol : Protocols available for transmission to Splunk are TCP (default), UDP, HTTP, HTTPS.
      1. UDP has packet length constraints and is vulnerable security-wise, so TCP usage is recommended.
      2. When using Splunk HTTP Event Collector, the default is HTTPS.
      3. To use HTTP instead of HTTPS, you must first configure Splunk’s HEC option to not use SSL. When selecting HTTP, you must additionally enter the following field values:
         • HEC Host : Enter the hostname or IP address of the Splunk server.
         • HEC Token : Enter the Splunk HEC token value.
   3. Destination Address (Hostname) : Enter the IP address or hostname of the Splunk server or forwarder receiving syslog. For HTTP, HTTPS protocols, this changes to HEC Host input.
   4. Port : Enter the listening port of the syslog server. (TCP/UDP default 514)
      1. Splunk HEC port must be checked in Splunk settings first before entering.
      2. When selecting HTTP/HTTPS protocol in Splunk menu:
         • Enter the port number set in Splunk HTTP Event Collector’s global option. Default is 8088.
         • For Splunk Cloud users, enter 443.
   5. HEC Token : For HTTP, HTTPS protocols, you must enter the token value created when configuring Splunk’s HEC.
   6. Test Connection button : TCP, HTTP, HTTPS protocols can check communication status with the target.
      • UDP cannot check communication status due to protocol characteristics, so the Test Connection button is disabled.
   7. Select Event Items : You can selectively send event items. Selecting the “Select all event items, including those that may be added later.” checkbox at the bottom sends all available events.
   8. Disable syslog header : Sends without syslog header information (default Yes). This is an option provided to remove syslog headers when some SIEMs have difficulty parsing JSON. For HTTP, HTTPS, this option cannot be used and is always sent without syslog headers.
   9. Description : Enter brief information within 100 characters about the configuration information.
2. Click the OK button to save the settings.
   1. Even if settings are saved, syslog is not immediately transmitted.
3. To start transmission, switch the toggle button in the top left of the page to ON.
   1. This transmission toggle button can be used when transmission needs to be temporarily stopped for maintenance or various situations.
4. If syslog transmission is no longer needed, you can remove the configuration through the Delete button.
   1. However, deletion is not possible while transmitting, so please change the transmission toggle button to :toggleoff: before deleting.

Reference

• QueryPie event items transmitted through syslog according to license

• Other reference documents
  • RFC 3164: The BSD Syslog Protocol 
  • Splunk Universal Forwarder 
  • Splunk Connect for Syslog 
  • Set up and use HTTP Event Collector in Splunk Web