Configuration

To use the Splunk Cloud for integration, you must create an HTTP Event Collector, which allows you to send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. For more details, refer to the official Splunk documentation.

Creating an HTTP Event Collector (HEC) in Splunk Cloud

To create an HTTP Event Collector:

  1. Log in to Splunk Cloud as an Administrator.

  2. Select the Settings tab then select Add Data.

  3. Select Monitor.

  4. In the dialog, select HTTP Event Collector.

  5. Fill in the form for the new HTTP Event Collector.

  6. Select Next > Preview.

  7. Verify the details for the newly created HTTP Event Collector and select Submit.

  8. Go back to Settings and select Data inputs.

  9. Choose your HTTP Event Collector and note down the token value.

  10. Select Global Settings on the HTTP Event Collector page and note down the HTTP port number. This is typically 443 or 8088.

  11. Note down your Splunk Cloud URL. The expected format is: https://yourSplunkCloudUrl.splunkcloud.com:portNumber.

Configuring an HTTP Event Collector (HEC) Connection in Privilege Manager

The Send policy feedback option needs to be enabled on all policies that are supposed to send Syslog-formatted events.

To HEC messages in Privilege Manager:

  1. Navigate to Admin > Configuration and select the Foreign Systems tab.

  2. In the Syslog page, select Create. Provide a name and the Splunk Cloud URL with the port number from step 11 in Creating an HTTP Event Collector (HEC) in Splunk Cloud.

    Once the connection is created, you can use Edit to change any of the configuration settings.

  3. From the Protocol list, select HEC.

    • Only one HEC (HTTP Event Collector) Syslog connection is supported at a given time in Privilege Manager. If multiple HEC connections are added, the most recently modified token will be used.

    The URL should already be populated.

  4. Make sure to add services/collector/event to the Endpoint Path field. In the Token field, enter the token value from step 9 in Creating an HTTP Event Collector (HEC) in Splunk Cloud. When you enter the token, select the update button next to the Token field and save the connection.

Refer to the Splunk Documentation for port numbers suitable for Splunk Enterprise or other configurations of Splunk specific to your organization.

To learn how to set up a SysLog Server Tasks to start sending messages to your Splunk Cloud instance, click here.