Integrating Splunk Enterprise

Splunk Enterprise technology analyzes business and website data, manages applications, ensures compliance, and enhances security.

You can integrate Splunk Enterprise with the Delinea Platform using webhooks.

Prerequisites

Ensure that you have all the required accounts and utilities before starting the integration:

Setting Up Splunk Enterprise

To configure Splunk Enterprise, create an SSL certificate and generate a private key with the appropriate files to combine your SSL/TLS certificate, intermediate certificates (if applicable), and the private key into a single file.

Creating a Certificate in Zero SSL

You can create an SSL certificate from any certificate provider. The instructions below are for creating an SSL certificate issued by Zero SSL.

  1. Go to Zero SSL.

  2. Open the SSL Certificates panel.

  3. Click New Certificate.

  4. Provide a valid domain for the certificate, then click Next Step until the Verify Domain dialog appears.

  5. In the Verify Domain dialog, select an HTTP File Upload and follow the instructions.

  6. Select Next Step.

  7. In the Verify Domain dialog, check the details for the certificate verification and click Verify Domain.

  8. Once done, go to the Certificates panel, select your certificate, and download it.

Configuring a Certificate in OpenSSL

To configure a certificate in OpenSSL, generate private key (private.pem), caCertificateFile (certificate.pem), and full chain (full_chain.pem) files.

Generating a Private Key

To generate a private key file in OpenSSL:

  1. Copy the downloaded certificate to the Splunk directory on your local computer. For example:

    C:/programfiles/Splunk/etc/auth/sloccerts

  2. Verify that you have OpenSSL installed on your computer.

  3. Depending on your operating system, open a terminal or a command prompt.

  4. Navigate to the directory where you want to generate a private key. You can use the cd command to change directories.

  5. Run the following command to generate a private key:

    openssl genpkey -algorithm RSA - out private.key

    The command generates a private key using the RSA algorithm and saves it to a private key file. You can adjust the algorithm or key size according to your preferences.

Generating a caCertificateFile

To generate a caCertificateFile, create a Certificate Signing Request (CSR) and then self-sign it. Open a terminal or a command prompt and run the following commands:

  1. To generate a Certificate Signing Request (CSR):

    openssl req -new -key ca_private_key.pem -out ca_csr.pem

    This command generates a Certificate Signing Request (CSR) using the private key ca_private_key.pem and saves it to ca_csr.pem.

  2. To self-sign a Certificate Signing Request (CSR):

    openssl x509 -req -days 365 -in ca_csr.pem -signkey ca_private_key.pem -out ca_certificate.pem

Generating a full_chain.pem file

A full_chain.pem file typically combines your SSL/TLS certificate, intermediate certificates (if applicable), and the private key into a single file. The order of the certificates is crucial for proper functioning.

Assuming you have the following components:

  • Your SSL/TLS certificate (for example, your_certificate.crt)

  • Intermediate certificate(s) (if provided by your Certificate Authority)

  • Your private key (for example, a private.key)

To generate a full_chain.pem file using these components:

  1. Run the following command in the Splunk directory on your computer. Replace your certificate.crt with the actual name of your SSL/TLS certificate file, replace intermediate.crt with the name of any intermediate certificate file (if applicable), and replace private.key with the name of your private key file:

    cat your_certificate.crt intermediate.crt private.key > full_chain.pem

    Ensure that you concatenate the files correctly: certificate, intermediate certificate(s), and finally the private key. The resulting full_chain.pem file should contain all the necessary information in the correct order.

  2. After you create the full_chain.pem file, use it in your Splunk configuration for SSL/TLS settings, including configuring the sslRootCAPath parameter to point to this file.

  3. Go to the Splunk directory on your local computer.

  4. Open the inputs.conf file and specify the following data:

    [http]
    disabled = 0
    index = main
    enableSSL = 1
    port = [port]
    privKeyPath = $SPLUNK_HOME/etc/auth/sloccerts/private.key
    serverCert = $SPLUNK_HOME/etc/auth/sloccerts/full_chain.pem
    caCertFile = $SPLUNK_HOME/etc/auth/sloccerts/certificate.pem
    sslPassword = [SSL password]
    db17Z

  5. Open the Web.conf file and specify the following data:

    [settings]
    enableSplunkWebSSL = true
    httpport = [http port]
    enableSplunkWebSSLDebug = true

  6. Restart your Splunk server.

Integrating Webhooks and Splunk Enterprise

After you have generated and managed certificates, you can set up integration between Splunk Enterprise and Delinea Platform webhooks.

Configuring Splunk Enterprise HTTP Event Collector

  1. Install a Docker container to run Splunk Enterprise inside it. See the Splunk Enterprise official documentation.

  2. Open a Docker container and run Splunk Enterprise with an extra port exposed for HTTP Event Collector (HEC) using the following command:

    docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD=[password] splunk/splunk:latest

  3. Log in to your Splunk Enterprise account with admin permissions.

  4. On the Quick links tab, click Add Data.

  5. Select Monitor.

  6. From the left panel, select HTTP Event Collector.

  7. In the HTTP Event Connector form, specify the required details and select Next.

  8. Check the displayed details, then select Review.

  9. Select Submit.

  10. Go to Settings > Add Data > Data inputs.

  11. In the Data inputs dialog, select HTTP Event Collector.

  12. In the HTTP Event Collector dialog, copy a Token Value. You will use this Token Value when creating a webhook on the Delinea Platform.

Creating Webhooks for Splunk Enterprise

  1. Log in to the Delinea Platform.

  2. From the left navigation menu, select Settings > Webhooks.

  3. On the Webhooks page, select Create Webhook.

    The Create Webhook dialog opens.

  4. In the Create Webhook dialog, complete the following fields:

    • Name: Enter a unique name for the webhook to help identify it in your system.

    • Endpoint URL: A URL of your Splunk Cloud instance.

    • Description: Enter a brief description of the webhook to provide context about its specific function.

    • Webhook State: Use the checkbox to enable or disable the webhook, where checking it makes the webhook active and unchecking it disables notifications.

    • Triggers: Choose Service, Level, and Event Type for your webhook subscription to receive notifications and add the Target to triggers.

    • Key: The name of the header you want to add. It serves as an identifier for the data you are sending in the header.

    • Value: The value associated with the header key. Enter the Token Value created for HTTP Event Connector in Splunk Enterprise

  5. Provide other required details, then click Save.

  6. Verify the configured webhook on the Delinea Platform (see Testing a webhook).

For more information, see Webhook Management.

Troubleshooting

Issue:

An SSL error as a result of the webhook test.

Solution:

  1. Depending on your operating system, open a terminal or a Command prompt.

  2. Navigate to the Splunk directory on your computer and insert the following data:

    var handler = new HttpClientHandler
    {
    ClientCertificateOptions = ClientCertificateOption.Manual,
    ServerCertificateCustomValidationCallback =
    (httpRequestMessage, cert, cetChain, policyErrors) => true
    };

  3. Go back to the Delinea Platform and test the webhook created for Splunk Enterprise again.

  4. Ensure that the webhook for Splunk Enterprise is configured correctly by receiving a success alert.

Verifying Logs for Splunk Webhook

When you have ensured that webhooks are correctly configured for Splunk Enterprise, you can verify that the expected logs were received using webhooks.

  1. Log in to your Splunk Enterprise account with admin permissions.

  2. From Apps, select Search & Reporting.

  3. In New Search, specify "Delinea" and select Enter.

  4. Verify that the log is displayed.

  5. To verify the logs in the Delinea Platform see Verifying a Webhook.