Latest version: 4.3.x
Splunk (Audits)
Setup Splunk to receive audits.
Set up
1. Visit Admin → Connections and click New connection
2. Select Splunk
3. Provide a name and configuration
Lenses integrates with Splunk’s HTTP Event Collector API.
You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create a HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.
Add channel
Next add one or multiple target Splunk channels.
1. Visit Admin → (Audits) Channels and click Splunk
2. Setup the configuration options
For example the above will create the Splunk Audit
channel, that will use the Splunk connection to create events
in Splunk for all Lenses audits, with a Splunk event
source
value of
lenses-audits
.
An example
If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.
Additional info
Users with the manage audit log permission can create audit channels.