Configure BeyondTrust Privileged Remote Access for Integration with Splunk

The Splunk integration supports consumption of syslog output directly from the B Series Appliance.

To enable this, follow the steps below. These steps are completed in the BeyondTrust/appliance administrative interface.

  1. Access your BeyondTrust interface by going to the hostname of your B Series Appliance followed by /appliance, for example, https://access.example.com/appliance.
  2. Go to /appliance >Security > Appliance Administration and locate the Syslog section.
  3. Enter the hostname or IP address for your remote syslog server.
  4. Select your preferred message format.
  5. Click Submit.

Verify the API is Enabled

Management

API Configuration

API Configuration Enable XML API checkbox.

This integration requires the BeyondTrust XML API to be enabled. This feature is used by the BeyondTrust Middleware Engine to communicate with the BeyondTrust APIs.

Go to /login > Management > API Configuration and verify that Enable XML API is checked.

Create an OAuth API Account

Management

API Configuration

The Splunk API account is used from within Splunk to make Privileged Remote Access Command API calls to Privileged Remote Access.

Add Button on the API Configuration page in Remote Support /login.

  1. In /login, navigate to Management > API Configuration.
  2. Click Add.

 

Add an API Account page in Remote Support /login.

  1. Check Enabled.
  2. Enter a name for the account.
  3. OAuth Client ID and OAuth Client Secret is used during the OAuth configuration step in Splunk.
  4. Under Permissions, check the following:
    • Command API: Full Access.
    • Reporting API: Allow Access to Support Session Reports and Recordings, and Allow Access to Presentation Session Reports and Recordings.
  5. Click Save at the top of the page to create the account.