Splunk Integration

Splunk is a software product that enables you to search, analyze, and view the data gathered from the components of your IT infrastructure or business. Splunk collects data from websites, applications, sensors, devices, and so on. After you define the data source, in this case Perimeter 81, Splunk indexes the data stream and parses it into a series of individual events that you can view and search.

This article walks you through configuring Splunk in order to have full visibility of your Perimeter 81 activity. Follow the steps below:

    • Set up an HTTP Event Collector in Splunk Web
    • Configure Perimeter 81
    • Possible Error Codes and how to deal with them

 

 

Set up and use HTTP Event Collector in Splunk Web

The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.

After you enable HEC, you can use HEC tokens in your app to send data to HEC. You do not need to include Splunk credentials in your app or supported files.

1. Enable HTTP Event Collector

Note: According to official Splunk documentation, Managed Splunk Cloud customers may need to contact Splunk support in order to perform this step.

  • Click Settings > Data Inputs.
  • Click HTTP Event Collector.
  • Click Global Settings.

63 HTTPEC GlobalSettings.png

  • In the All Tokens toggle button, select Enabled.
  • To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox (This is enabled by default in Splunk Cloud and can be disabled in Splunk Enterprise only).
  • Click Save.

2. Create an Event Collector Token

  • Click Settings > Add Data.
  • Click monitor.
  • Click HTTP Event Collector.
  • In the Name field, enter a name for the token.
  • Make sure indexer acknowledgment is disabled for this token.
  • Click Next.
  • Click Review.
  • Confirm that all settings for the endpoint are what you want.
  • If all settings are what you want, click Submit. 

Configure Perimeter 81

You need to configure the integration from the Perimeter 81 side. (NOTE: Only Perimeter 81 Enterprise users can integrate with Splunk).

1. Log in to your Perimeter 81 management dashboard, and navigate to Settings and select Add at the Splunk row.

Screen_Shot_2020-01-21_at_12.07.48.png

2. Fill in according to the following:

Screen_Shot_2020-01-26_at_11.42.14.png

  • HEC Host: Insert an appropriate value according to your Splunk tier (replace {hostname} with your Splunk server hostname).
    Self service cloud Splunk input-{hostname};
    Managed cloud Splunk http-inputs-{hostname} (regardless if the actual protocol is http or https);
    Enterprise Splunk {hostname}
  • HEC port: 8088 by default - according to what you configued in Splunk
  • Protocol: HTTP/HTTPS (according to what you configured in Splunk).
  • Verify Server SSL Certificate (HTTPS only): If you are using a self-signed certificate disable SSL verification, however if you are using a CA signed certificate make sure to enable it.
  • HEC URI: Filled automatically
  • Authentication token: Insert the token you generated at Splunk.

3. Select Validate.

Possible Error Codes and how to handle them

The following status codes have particular meaning for all HTTP Event Collector endpoints:

HTTP status code ID HTTP status code Status message Action Requiered
200 OK Success None.
403 Forbidden Token disabled Enable token at Splunk Web.
401 Unauthorized Invalid authorization Please make sure you inserted a valid token.
403 Forbidden Invalid token Please make sure you inserted a valid token.
500 Internal Error Internal server error Please contact our support team indicating the error. We will examine the integration logs and further instruct you.
503 Service Unavailable Server is busy There are too many requests pending in Splunk server queue. Please try again later.
400 Bad Request Data channel is missing Edit the token at the Splunk Platform and make sure to untick Indexer Acknowledgement.
400 Bad Request Error in handling indexed fields  Please contact our support team indicating the error. We will examine the integration logs and further instruct you.

 

 

 

 

 

 

 

 

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.