Configure Splunk Event Forwarder

SIEM products, like Splunk HTTP Event Collector (EC), correlate information from an extensive list of security and operational solutions to gain visibility and context within an IT environment. This procedure documents how to integrate BeyondInsight and Splunk to help improve visibility and the decision-making processes with vulnerability data.

Events from BeyondTrust's Endpoint Privilege Management product can be forwarded to Splunk.

Vulnerability Management has been deprecated and will be removed from the product in a future version.

Configure the Splunk Event Forwarder Connector

As a prerequisite, you must configure an HTTP EC data source in Splunk and note the API key for the configuration settings in the following procedure.

  1. In BeyondInsight, go to Configuration > General > Connectors.
  2. From the Connectors pane, click Create New Connector.
  3. Enter a name for the connector.
  1. Select Splunk Event Forwarder from the Connector Type list.
  2. Click the toggle to enable the Active (yes) option. Check Enable Event Forwarding.
  3. Enter the following details for the Splunk server:
    • Host Name: (Required) The host name or IP address for your Splunk server.
    • Port: (Required) The port used to communicate with your Splunk instance. The default is 8088.
    • API Key: (Required) The Splunk API Key from your Splunk instance.
    • Index: The name of the data repository on the Splunk server.
    • Source Type: Data structure identifier for an event. The value is assigned to the event data collected.
    • Source: Source value to assign to the event data. For example, set this key to the name of the application you are gathering events from.
    • Host: The hostname of the client from which the data is forwarded.
  4. Expand Event Filters, and then select the events that you want to forward.
  5. Click Test Connector to send a test event message.
  6. Click Create Connector.

For more details on the parameters set in the connector, please see the Splunk product documentation.

View Events in Splunk

After the data is forwarded from BeyondInsight to Splunk, you can use the View, Search, and Report features in Splunk.

Screen capture showing a search for events in Splunk.

This example shows a search on OS set to Windows, Microsoft, Windows, 7 x64, Service Pack 1 and the output of all events that match on that search.

 

Screen capture of Search Results in Splunk

 

If there appears to be a discrepancy with the time of an event, verify that the Splunk host is configured to use UTC.

For more information, please see the Splunk Answers Forum.