Splunk
The Files.com integration with Splunk Enterprise and Splunk Cloud utilizes Splunk's HTTP Event Collector to directly transfer Files.com logs into your Splunk environment, keeping your data current for real-time analysis. This integration allows you to configure the transfer of various log types to Splunk, enhancing your capability to monitor, analyze, and respond to events with greater precision and efficiency.
These logs are sent in JSON format via HTTP, ensuring compatibility with Splunk's data ingestion pipeline. Whether you are using Splunk Enterprise on-premise or leveraging Splunk Cloud, Files.com enables secure, reliable log forwarding to help organizations monitor, detect, and respond to security events effectively.
Getting Started with Splunk Integration
Files.com uses Splunk's HTTP Event Collector (HEC) to send audit logs and actions to a Splunk deployment via HTTP or HTTPS protocols, utilizing token-based authentication. By generating a token, you can configure Files.com to transmit logs to HEC in the JSON format, eliminating the need for a Splunk forwarder.
Refer to Splunk's documentation on setting up and using the HTTP Event Collector in Splunk Web for more details.
When configuring Splunk's HEC, select Automatic for the Source type if prompted. Leave other options related to the index at their default settings, and do not enable the option for indexer acknowledgment, as it is not supported at this time.
Configuring Files.com for Splunk Integration
When configuring the Splunk integration in Files.com, provide a Name for the integration for your records. Then, specify the HTTP Event Collector Host or URI (referred to as HEC URI) from your Splunk HEC configuration as the Destination URL in Files.com. For authentication, use the HTTP Event Collector Token from the same Splunk HEC configuration as the Splunk token in Files.com.
The HEC URI format for Splunk Cloud is:
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
(for example, https://http-inputs-myhostname.splunkcloud.com:443/services/collector/event
).
The HEC URI format for Splunk Enterprise is:
<protocol>://<host>:<port>/<endpoint>
(for example, https://myhostname:8088/services/collector/event
).
HEC URI may vary depending on the geo-region or 3rd party cloud platform where your instance is hosted or if you are using a Splunk trial or demo account. Note that http-inputs-
may not be required in the HEC URI if you are using the Splunk Cloud trial version. Refer to Splunk's documentation to obtain the correct HEC URI in your environment which can be used as Destination URL in Files.com.
You can configure additional headers by specifying the Header Name and Header Value in the Key and Value fields, respectively, if you need to pass extra headers to your SIEM setup.
Choosing Log Types to Forward to Splunk
You can select which types of logs are forwarded to your specific Splunk instances. By default, all log types are enabled, but you can customize the log types collected for different instances as needed. Refer to the Log Types section to review the available options for forwarding logs to your Splunk platform.
Troubleshooting
If you encounter any issues with forwarding or receiving logs in Splunk, start by verifying that your Splunk HTTP Event Collector (HEC) endpoint and token are accurate and correctly configured in Files.com as the Destination URL and Splunk token, respectively.
If you are still experiencing issues, check for network connectivity issues or firewall rules that may be blocking the communication between Files.com and your Splunk environment. For additional insights, review any SIEM-related logs under External Logs by selecting "SIEM" as the Event Type. These logs may help identify any issues with the log forwarding process. If the problem persists, refer to Splunk's troubleshooting documentation for further troubleshooting steps.