Webhooks Splunk Setup
The following instructions configure an activity stream for Tehama in Splunk's HTTP Event Collector.
Introduction
Splunk is a third-party tool that you can use to aggregate all kinds of different machine data from the various third-party and in-house tools that your company uses, including activity stream events from Tehama.
Once you have enabled sending activity stream events from Tehama to your Splunk instance, all events generated for your organization will be sent from Tehama to Splunk.
You can configure Splunk to its best advantage for your company's needs. To help you do that, Tehama provides a report of all the event types and their arguments that can be sent to Splunk. See Event Types in the Webhooks User Guide.
Requirements
- A Tehama Account with Org Admin privileges
- A Splunk Enterprise® instance (recommended version 7.1.3)
- A Splunk Admin account.
Steps to Integrate
Integration with Splunk from Tehama has been tested with Splunk version 7.1.3.
Follow Splunk's own documentation at http://docs.splunk.com/Documentation/Splunk/7.1.3 to create an activity stream for Tehama in Splunk's HTTP Event Collector.
Create an activity stream from Tehama to Splunk
Step 1
Be sure you have a working Splunk Enterprise® instance. (See the requirements.) If not, check the following links for information on creating one:
- https://www.splunk.com/blog/2016/03/22/your-splunk-sandbox.html
- https://www.splunk.com/en_us/products/premium-solutions/splunk-enterprise-security/online-sandbox-faq.html
- http://splunk.force.com/SplunkCloud?prdType=SplunkCloud&_ga=2.187345707.2085200529.1537475964-1608871039.1532693597
Your Splunk Enterprise® instance is ready? You have access to an Admin account for it? Great. Log in and we can proceed.
Step 2
Enable the HTTP Event Collector on your Splunk Enterprise® instance through the Global Settings dialog box.
Read up on HTTP Event Collectors at this link:
Instructions come from the following link: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Enterprise
- Click Settings and select Data Inputs.
- Click HTTP Event Collector.
- Click Global Settings. The Edit Global Settings dialog will appear.
- Toggle All Tokens to Enabled.
- Set Default Source Type to json. <--- Note the source type here - need to confirm it in next step.
- Set Default Index to Default.
- Set Default Output Group to None.
- Leave the Use Deployment Server checkbox blank.
- Click to place a checkmark in the Enable SSL checkbox.
- Enter a port number in the HTTP Port Number field. The HTTP Event Collector will listen on this port and Tehama will send to it.
- NOTE: Make sure your firewall rules support this communication.
- NOTE: If your Room is a Multi-Path Room, and its DNS Filtering feature is active, be sure to add any domains for the HTTP Event Collector to the list of allowed domains in order to support this communication.
- Click Save.
Step 3
Create an Event Collector token in the HTTP Event Collector on your Splunk Enterprise® instance.
Instructions come from the following link: http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/UsetheHTTPEventCollector#Create_an_Event_Collector_token
- Click Settings and select Add Data.
- Click monitor.
- Click HTTP Event Collector.
- Enter the name for the token in Name field, e.g.: "Tehama Activity Stream"
- Enter a description in the Description field, e.g.: "JSON import of Activity Stream from Tehama"
- Click to remove the checkmark from the Enable indexer acknowledgment checkbox, if there is one there.
- Click Next.
- Confirm the source type (json) for HTTP Event Collector events.
- Click Review.
- Confirm the settings.
- Click Submit if the settings are correct. Otherwise, click < to fix any errors.
At this point you should see an entry for your new Event Collector token in the list of tokens for the HTTP Event Collector.
Copy the value in the Token Value column for the entry. It will be used in the next step.
Work out the endpoint URL for your new HTTP Event Collector. It will be used the next step. (See the instructions at the following link for help deriving the endpoint URL: http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector.)
Step 4
Configure Tehama to send events to your new Event Collector on your Splunk Enterprise® instance.
Log in to the Tehama Web UI as the Org Admin user for your organization.
Navigate to the WEBHOOKS tab on the ORGANIZATION settings page (accessed through the organization tab in the navigation bar).
Enter the endpoint URL for the HTTP Event Collector from step 3 into the field URL of your Splunk instance's HTTP Collector endpoint.
Enter the token value from your Event Collector token from step 3 into the field Splunk Token (Authorization header value).
Enter the default index name, "main", into the field Index to send events to.
Click SAVE.
From the instant you click on SAVE Tehama will send all Activity Stream events it generates for your organization to your Splunk Enterprise® instance.
Step 5
Look through the Splunk Enterprise® documentation to determine how you can configure Splunk to its best advantage for your company's needs. Use the information provided by Tehama about the event types that it sends to Splunk to help with this configuration. See Event Types in the Webhooks User Guide.