Splunk

Integrating Keeper SIEM push to Splunk Enterprise

Overview

Keeper supports event streaming into Splunk Cloud and Splunk Enterprise deployments. External logging is real-time, and new events will appear almost immediately.

An example configuration is displayed below. Note that Host field should only contain the domain portion of the collector URL.

Splunk Integration Settings

Splunk Cloud (Self-Service)

Keeper supports the HTTP Event Collector (HEC) feature of Splunk Cloud deployments.

The standard form for the HEC URL in self-service Splunk Cloud is as follows:

<host>:<port>/<endpoint>

In Keeper, you only need to supply the domain portion of the URL. For example:

Host: input-prd-p-2dm85a8f6db.cloud.splunk.com Port: 8088 Token: HEC token generated in Splunk

Splunk Managed Cloud

Keeper supports the HTTP Event Collector (HEC) feature of Splunk Managed Cloud deployments. The standard form for the HEC URL in managed Splunk Cloud is as follows:

http-inputs-<host>:<port>/<endpoint>

In Keeper, you only need to supply the domain portion of the URL. For example:

Host: http-inputs-prd-p-2dm85a8f6db.splunkcloud.com Port: 443 Token: HEC token generated in Splunk

Ensure that your endpoint has the "Indexer Acknowledgement" feature disabled.

Splunk Enterprise

Keeper supports the HTTP Event Collector (HEC) feature of Splunk Enterprise and Splunk Cloud deployments. To configure Keeper with Splunk, a few things to note:

  • Instructions on creating a HEC for Keeper can be found on Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/UsetheHTTPEventCollector

  • Keeper requires that the collector endpoint uses SSL with a valid certificate signed by a certificate authority. If the collector is not using SSL, Keeper will reject the connection.

  • The collector endpoint URI needs to be accessible from Keeper's servers. See the AllowList section below for a list of IP addresses.

(1) On the Spunk interface, create a new HEC or select an existing collector.

(2) Generate a token and store it for Step 4.

(3) In the Global Settings, ensure that "Enable SSL" is selected and ensure that the collector is configured to use SSL.

Enable SSL on HEC

(4) On Keeper, plug in the endpoint Host, Port and Token from the HEC. In Keeper, you only need to supply the domain portion of the URL.

Splunk Settings

(5) Click on "Test Connection" to ensure that the connection is successful. If it's successful, the "Save" button will become active. If there is a communications error, nothing will happen or you will receive an error message.

(6) Click "Save" to activate the collector. Keeper will then show the active status.

Active Sync Status

If the status shows "Paused", it could mean that there was a communications error when transmitting events to the Splunk server. A common reason for this is because the HEC is not using SSL with a valid certificate signed by a certificate authority (CA).

Troubleshooting

As stated above, the HEC in Splunk Enterprise must be secured with SSL having a certificate that is signed by a certificate authority. As a way to check this from a Mac or Linux command line, type the following (replacing your endpoint URI and Token):

$ curl https://splunk.acme-demo.com:8088/services/collector -H "Authorization: Splunk b56ashdd-8b97-443b-1234-abcabcabcabc" -d '{"event": "hello world"}'

If you receive an error about the SSL certificate like below, then it's not configured correctly.

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If you add a "-k" to the curl request to ignore the certificate, you may receive a successful response. This is a good indicator that the HEC certificate is not valid.

To configure Splunk Enterprise for SSL on the collector, refer to the documentation. The local/server.conf file should be modified to include the [sslConfig] section that enables SSL on the splunkd service with a bundled certificate file chain.

[sslConfig]
enableSplunkdSSL = true
serverCert = $SPLUNK_HOME/etc/auth/mycompany/my_bundle.pem

The certificate file chain (my_bundle.pem) can be created by concatenating the certificate, private key and CA certs such as below:

cat my_server.crt my_server.key ca_certs.crt >> my_bundle.pem

For additional details, see the Splunk Enterprise documentation related to securing Splunk with SSL: https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/AboutsecuringyourSplunkconfigurationwithSSL https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Securingyourdeploymentserverandclients

Event Display

Once activated, the event logs will stream automatically from Keeper's backend servers to the Splunk HEC. As seen in the screenshot below, the event logs will contain the event type, client application version, IP address, timestamp and username of the Keeper user.

Network Routing

Ensure that your Firewall allows traffic from Keeper servers. See Firewall Configuration page.

Last updated