Integration with Splunk
The Delinea for Splunk Integration Guide is written to assist Delinea Privileged Access Service customers with the task of easily integrating event data in Delinea PAS with Splunk. You can leverage the Delinea Add-on for Splunk to normalize Delinea events in Splunk.
This integration guide applies to the following Splunk versions and Delinea PAS releases:
| Splunk Versions | Delinea Privileged Access Service Releases |
|---|---|
| 6.5.x | 2016 |
| 6.6.x. 7.0.0 | 2016.1 2016.2 2017 2017.1 2017.2 2017.3 |
| 8.0 | 2020.2 |
| 8.1 | 2020.6 |
| 8.x | 2020.7 |
Splunk Components
The following diagram illustrates the Splunk components that interact with the Delinea Add-on for Splunk:
Delinea Add-on for Splunk
Add-ons are used in Splunk for data onboarding and parsing. The parsed events can be used for ad-hoc queries or to create visualizations. This Add-on can co-exist with other Splunk Add-ons without conflicts.
The Delinea Add-on for Splunk contains:
-
Data inputs for Windows and Unix Delinea agents (disabled by default)
-
A Parser to extract all of the Delinea event fields
-
Event types to categorize Delinea event categories such as Delinea Configuration, Direct Authorize – Windows, and so on
-
Tags so that Delinea authentication data complies with the Splunk Common Information Model (CIM)
Delinea App for Splunk
In general, the apps used in Splunk are mainly those for data visualization such as dashboards and report alerts.
The apps contain:
-
Sample Delinea dashboards
-
Sample weekly reports
-
Sample alerts
