Latest version: 4.3.x
Setup Splunk to receive audits.
1. Visit Admin → Connections and click New connection
2. Select Splunk
3. Provide a name and configuration
Lenses integrates with Splunk’s HTTP Event Collector API.
You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create a HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.
Next add one or multiple target Splunk channels.
1. Visit Admin → (Audits) Channels and click Splunk
2. Setup the configuration options
For example the above will create the
Splunk Audit channel, that will use the Splunk connection to create events
in Splunk for all Lenses audits, with a Splunk event
source value of
If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.
Users with the manage audit log permission can create audit channels.