Splunk HEC Setup

Integration to send p0 audit logs to splunk instance.

This topic describes how to set up P0's integration for Splunk HEC (Http Event Collector) exporter. It contains the following sections:

Prerequisites

Existing P0 account at p0.app
Splunk Instance Admin Role
Public-facing Splunk instance with HEC endpoint secured by an SSL certificate.
- The SSL certificate must be signed by a trusted Certificate Authority (CA) to ensure secure communication. Self-signed certificates are not allowed by P0 Security.
Splunk HEC Token

Setup Splunk HEC Token

This setup takes about 5 minutes.

Navigate to "Integrations" on p0.app, then select "Splunk" under "Security Information & Event Managers" section. Choose the "HTTP Event Collector" component:
Click on "Add Token" to install.
Enter an unique custom identifier for token and click "Next":

Enter the desired configuration and click "Finish" to complete the installation. See the configuration section for information about the settings.

Configuring Splunk HEC Token

Endpoint:

HTTPS endpoint with valid SSL certificate. The instance port number required to form the url can be found in the "Global Settings" within the HEC Settings page.

example: https://hec.example.com:8088/

Token:

Tokens are 32 character GUIDs that let logging agents and HTTP clients connect to the HEC input.

Refer to the official Splunk documentation for detailed instructions: Set up HTTP Event Collector.

Congratulations! You are now set up with Splunk audit logs integration.

PreviousSIEM Integrations NextRole-Based Access Control

Last updated 8 days ago