Setup Splunk to receive audits.
1. Visit Admin → Connections and click New connection
2. Select Splunk
3. Provide a name and configuration
You can also optionally add tags (i.e. dev). Then add the Splunk configuration information. You can get more information about setting up and using the Splunk HTTP Event Collector.
Next add one or multiple target Splunk channels.
1. Visit Admin → (Audits) Channels and click Splunk
2. Setup the configuration options
For example the above will create the
Splunk Audit, that is using the Splunk connection to move audit
lenses-audits source to Splunk.
If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.
Users with the manage audit log permission can create audit channels.