Splunk
Integrating Keeper SIEM push to Splunk Enterprise
Overview
Keeper supports event streaming into Splunk Cloud and Splunk Enterprise deployments. External logging is real-time, and new events will appear almost immediately.
An example configuration is displayed below. Note that Host field should only contain the domain portion of the collector URL.
Splunk Cloud (Self-Service)
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Cloud deployments.
The standard form for the HEC URL in self-service Splunk Cloud is as follows:
In Keeper, you only need to supply the domain portion of the URL. For example:
Host: input-prd-p-2dm85a8f6db.cloud.splunk.com Port: 8088 Token: HEC token generated in Splunk
Splunk Managed Cloud
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Managed Cloud deployments. The standard form for the HEC URL in managed Splunk Cloud is as follows:
In Keeper, you only need to supply the domain portion of the URL. For example:
Host: http-inputs-prd-p-2dm85a8f6db.splunkcloud.com Port: 443 Token: HEC token generated in Splunk
Ensure that your endpoint has the "Indexer Acknowledgement" feature disabled.
Splunk Enterprise
Keeper supports the HTTP Event Collector (HEC) feature of Splunk Enterprise and Splunk Cloud deployments. To configure Keeper with Splunk, a few things to note:
Instructions on creating a HEC for Keeper can be found on Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/UsetheHTTPEventCollector
Keeper requires that the collector endpoint uses SSL with a valid certificate signed by a certificate authority. If the collector is not using SSL, Keeper will reject the connection.
The collector endpoint URI needs to be accessible from Keeper's servers. See the AllowList section below for a list of IP addresses.
(1) On the Spunk interface, create a new HEC or select an existing collector.
(2) Generate a token and store it for Step 4.
(3) In the Global Settings, ensure that "Enable SSL" is selected and ensure that the collector is configured to use SSL.
(4) On Keeper, plug in the endpoint Host, Port and Token from the HEC. In Keeper, you only need to supply the domain portion of the URL.
(5) Click on "Test Connection" to ensure that the connection is successful. If it's successful, the "Save" button will become active. If there is a communications error, nothing will happen or you will receive an error message.
(6) Click "Save" to activate the collector. Keeper will then show the active status.
If the status shows "Paused", it could mean that there was a communications error when transmitting events to the Splunk server. A common reason for this is because the HEC is not using SSL with a valid certificate signed by a certificate authority (CA).
Troubleshooting
As stated above, the HEC in Splunk Enterprise must be secured with SSL having a certificate that is signed by a certificate authority. As a way to check this from a Mac or Linux command line, type the following (replacing your endpoint URI and Token):
If you receive an error about the SSL certificate like below, then it's not configured correctly.
If you add a "-k" to the curl request to ignore the certificate, you may receive a successful response. This is a good indicator that the HEC certificate is not valid.
To configure Splunk Enterprise for SSL on the collector, refer to the documentation. The local/server.conf file should be modified to include the [sslConfig] section that enables SSL on the splunkd service with a bundled certificate file chain.
The certificate file chain (my_bundle.pem) can be created by concatenating the certificate, private key and CA certs such as below:
For additional details, see the Splunk Enterprise documentation related to securing Splunk with SSL: https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/AboutsecuringyourSplunkconfigurationwithSSL https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Securingyourdeploymentserverandclients
Event Display
Once activated, the event logs will stream automatically from Keeper's backend servers to the Splunk HEC. As seen in the screenshot below, the event logs will contain the event type, client application version, IP address, timestamp and username of the Keeper user.
Network Routing
Ensure that your Firewall allows traffic from Keeper servers. See Firewall Configuration page.
Last updated