# Splunk

Set up **Splunk** to receive audit logs from Lenses.

### Set up  <a href="#set-up" id="set-up"></a>

**1.** Visit **Admin → Connections** and click **New connection**

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/new_connection.png" alt="Lenses.io Connection" width="563"><figcaption></figcaption></figure>

**2.** Select **Splunk**

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/select_connection_splunk.png" alt="Splunk Connection" width="563"><figcaption></figcaption></figure>

**3.** Provide a name and configuration

Lenses integrate with Splunk’s HTTP Event Collector API.

You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create an HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/create_connection_splunk.png" alt="Splunk Connection" width="563"><figcaption></figcaption></figure>

### Add channel  <a href="#add-channel" id="add-channel"></a>

Next add one or multiple target Splunk channels.

**1.** Visit **Admin → (Audits) Channels** and click **Splunk**

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/select_audit_channel_splunk.png" alt="Splunk audit channel" width="563"><figcaption></figcaption></figure>

**2.** Setup the configuration options

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/splunk_audit_details.png" alt="Splunk audit details" width="563"><figcaption></figcaption></figure>

For example, the above will create the `Splunk Audit` channel that will use the **Splunk** connection to create events in Splunk for all Lenses audits, with a Splunk event source value of `lenses-audits`.

### An example  <a href="#an-example" id="an-example"></a>

If, for example, you create a rule to send audits to Splunk, an HTTP API call will be made to the Splunk endpoint when a new audit entry is added.

### Splunk Webhook  <a href="#splunk-webhook" id="splunk-webhook"></a>

Set up alerts from Lenses.io to **Splunk** via a Webhook to send to a Splunk HTTP Event Collector (HEC) connection.

#### Set up  <a href="#set-up-1" id="set-up-1"></a>

**1.** Visit **Admin → Connections** and click **New connection**

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/new_connection.png" alt="Lenses.io Connection" width="563"><figcaption></figcaption></figure>

**2.** Select **Webhook** (Note: Use webhook for alerts and SIEM - audit events the native Splunk connection)

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/select_connection_webhook.png" alt="Webhook Connection" width="563"><figcaption></figcaption></figure>

**3.** Provide a name and configuration

Provide a name for the Connection, such as `SplunkWebhook`

Enter the DNS or IP of your Splunk instance configured with a configured HTTP Event Collector listener. This should be without a path (ie. not including `/services/collector` for example)

Enter the port of the HTTP Event Collector (Splunk default: `8088`).

Enable SSL if necessary.

Credentials are not required at this stage. The HTTP Event Collector Token will be provided in the next step.

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/splunk_connection.jpg" alt="Webhook Splunk Connection" width="563"><figcaption></figcaption></figure>

#### Add channel  <a href="#add-channel-1" id="add-channel-1"></a>

Next, add one or multiple target Splunk webhook channels.

**1.** Visit **Admin → Channels** and click **Webhook**

**2.** Setup the configuration options

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/splunk-webhook-alerts-for-lenses.io.png" alt="Splunk Webhook details" width="563"><figcaption></figcaption></figure>

For example, the above will create the `Kafka DevOps` channel using the **Webhook** connection.

The Splunk Connection created in the previous step is selected as the Connection.

Enter a header declaring the Splunk HEC Token. The format must be:

`Authorization: Splunk <<HEC TOKEN>>`

For the Request path, enter the exact value:

`/services/collector`

The body payload must include a valid JSON object for Splunk to accept.

The alert payload must be held in an `event` object within the JSON. Such as:

```json
{
 "event": {
   "category": "{{CATEGORY}}",
   "level": "{{LEVEL}}",
   "id": "{{ID}}"
 }
}
```

See the webhooks section for full details about available variables.

The event will appear like the following in Splunk:

<figure><img src="https://docs.lenses.io/5.2/guides/compliance/audits/images/splunk_kafka_alerts_in_lenses.io.png" alt="Apache Kafka alert in Splunk from Lenses.io details" width="563"><figcaption></figcaption></figure>

Test sending an alert before saving via a cURL command

```bash
curl -v -k PROTOCOL://YOUR_ SPLUNK_HOST:8088/services/collector -H "Authorization: Splunk YOUR_TOKEN" -d '{ "event": { "category": "{{CATEGORY}}", "level": "{{LEVEL}}", "id": "{{ID}}" } }'
```

#### An example  <a href="#an-example-1" id="an-example-1"></a>

If, for example, you create a rule to send Apache Kafka Broker monitoring notifications to Splunk the moment a Broker goes offline, and `HTTP POST` will be sent to Splunk via the Splunk HTTP Event Collector. This can then also be analyzed in Splunk ITSI.