This article outlines the steps required to ship Cloud Control Center audit logs to Splunk
Cloud Control Center audit logs can be shipped to Splunk by using the Splunk connector. Audit logs include Cloud Control Center authentication events, device attach events, consistency error events, and more.
Minimum Cloud Control Center version 14.8
- Splunk HTTP Event Collector Token
- Splunk HTTP Event Collector IP and Port (or other supported HTTP Event Collectors such as Cribl)
- Inbound firewall rules/NAT to allow Cloud Control Center to reach the Event Collector
1. Log into Splunk and navigate to Settings > Data Inputs
2. Select HTTP Event Collector in the list of options
3. Select New Token on the Data Inputs page
4. Give the token a name of your choice. You can leave the rest of the settings at their default values and select Next at the top.
5. Select the Splunk index you wish to use or create a new one and move it from the Available Items list to the Selected Items list. You can leave the rest of the settings at their default values and select Review at the top.
6. Review the configuration changes for accuracy and select Submit.
7. Go back to the HTTP Event Collector page to collect the newly generated token.
If leveraging Cribl as your HTTP Event Collector, you can find or generate a new Token Value in Data -> Sources -> Splunk -> HEC -> Configure -> Auth Tokens as seen below.
Be sure to use the IP and Port of your Cribl HEC Collector when configuring the connector in Cloud Control Center as shown in the next section.
Elisity Cloud Control Center Instructions
1. Log into Cloud Control Center and select Connectors on the left side navigation pane. Select + Connectors to add a new connector for Splunk.
2. Click Configure on the Splunk connector tile.
3. Provide the Splunk, or Cribl HTTP Event Collector IP or FQDN, Port, the Token you generated earlier as well as the Index you specified in step 5 of the Splunk instructions and select Submit.
If your Splunk instance does not have a certificate installed, you must select Ignore Certificate.
4. The Splunk connector should now be listed and show up as Active.
5. You should now be able to see Cloud Control Center audit logs show up in Splunk.