# Splunk HEC Setup

This topic describes how to set up P0's integration for Splunk HEC (Http Event Collector) exporter. It contains the following sections:

* [Prerequisites](#prerequisites)
* [Setup Splunk HEC Token](#setup-splunk-hec-token)
* [Configure Splunk HEC Token](#configuring-splunk-hec-token)

### Prerequisites

* Existing P0 account at [p0.app](https://p0.app/)
* Splunk Instance Admin Role
* Public-facing Splunk instance with HEC endpoint secured by an SSL certificate.
  * The SSL certificate must be signed by a trusted Certificate Authority (CA) to ensure secure communication. Self-signed certificates are not allowed by P0 Security.
* Splunk HEC Token

### Setup Splunk HEC Token

{% hint style="info" %}
This setup takes about 5 minutes.
{% endhint %}

1. Navigate to "Integrations" on [p0.app](https://p0.app), then select "Splunk" under "Security Information & Event Managers" section. Choose the "HTTP Event Collector" component:

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-b659dd821c3aadc87996c323e2579420c6dbb419%2FScreenshot%202025-01-24%20at%203.18.10%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>
2. Click on "Add Token" to install.

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-86505f36fd6058134f763a2d95f5a7123db65cc3%2FScreenshot%202025-01-24%20at%203.21.07%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>
3. Enter an unique custom identifier for token and click "Next":

<div align="center" data-full-width="true"><figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-ca39e0edfab12ef90fd518763b6f2cab7df08597%2FScreenshot%202025-01-24%20at%203.24.19%E2%80%AFPM.png?alt=media" alt="" width="563"><figcaption></figcaption></figure></div>

4. Enter the desired configuration and click "Finish" to complete the installation. See the [configuration section](#configuring-splunk-hec-token) for information about the settings.

   <figure><img src="https://3783273641-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSQNwGQz62W737pY0FzVb%2Fuploads%2Fgit-blob-4d98cb8dff291faffbee583e6db463cf95c471a3%2FScreenshot%202025-01-24%20at%203.25.25%E2%80%AFPM.png?alt=media" alt=""><figcaption></figcaption></figure>

### Configuring Splunk HEC Token

#### Endpoint:

HTTPS endpoint with valid SSL certificate. The instance port number required to form the url can be found in the "Global Settings" within the HEC Settings page.

{% hint style="info" %}
example: <https://hec.example.com:8088/>
{% endhint %}

#### Token:

Tokens are 32 character GUIDs that let logging agents and HTTP clients connect to the HEC input.

{% hint style="info" %}
Refer to the official Splunk documentation for detailed instructions: [Set up HTTP Event Collector](https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/UsetheHTTPEventCollector).
{% endhint %}

{% hint style="success" %}
Congratulations! You are now set up with Splunk audit logs integration.
{% endhint %}