Skip to main content
Skip table of contents

Splunk

Purpose

This document provides set up information on the Splunk integration.

Introduction

Splunk is a software for searching, monitoring, and analyzing machine-generated big data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

A trial version of Splunk can be downloaded from the official Splunk website. It is implemented in both OUTSCAN and HIAB and is mostly used in Event Notification system and Audit Log.

Splunk is integrated with both HIAB and OUTSCAN. This guide describes the integration from a HIAB, but the procedure is the same for OUTSCAN.

There are two ways of integrating with Splunk:

  • Create a User with a role for a TCPmode.

  • Create an HTTP Event-Collector (HEC) for a HTTP Event-Collector mode that lets send data and applications events to Splunk over the HTTP and secure HTTP (HTTPS) protocols.

Prerequisites

  • To set up the HIAB/OUTSCAN-Splunk integration in TCP mode, it requires index, role, and user be already set up in Splunk.

It is recommended to create a new user with limited access rights and a separate Splunk index for the data sent from the HIAB to Splunk.

  • It is important that the index exists before defining a role for the HIAB access. Otherwise, the restricted access cannot be setup for the specific index. If an index has already been setup, skip to section Create a Role.

  • The HTTP Event-Collector does not require users and roles to be set up in Splunk since it uses a access token. However an index is required for the HTTP Event-Collector. If an index has already been setup, skip to section Create an HTTP Event Collector.

A Splunk index is a repository for data in Splunk which reside in flat files on the Splunk instance.

Splunk Integration - TCP 

Due to the limitations of the number of characters that can be transferred through syslog to Splunk, the information in the Gathered Information field in the findings has been excluded as it exceeds the limit of what can be sent via syslog.

Create Index

  1. Login with an existing Splunk account.

    Splunk Sign In



  2. Go to Settings on the top left menu and then click on Indexes in the DATA group.




  3. Click on the New Index button in the upper right corner.



  4. Complete these details. In the steps below, HIAB is used as example.



  5. Click Save.

  6. The new index has been added to the list.

    Splunk Indexes

Create Roles

  1. Go to Settings on the top left menu and then click on Roles in the USERS AND AUTHENTICATION group.

    Integration_Splunk_Settings.PNG



  2. Click New Role button in upper right corner.


  3. Create a role in Splunk according to the HIAB Integration Mode you want to use.
    a) Create a role in Splunk and specify the following parameter for a TCP Integration. See Mode option in the HIAB Integrations Settings table.

Parameter

Value

Name

hiab-tcp-indexer

Capabilities

edit_tcp

Indexes

hiab

The role is only granted access to indexes defined here.

  1. Click Create.

Create Users

In this section we will add a new user (account) for the HIAB. This user will be given the role that was created in the previous step, this effectively limits the capabilities of this account to pushing data to the specified index.

  1. Go to Settings on the top left menu and then click on Users in the USERS AND AUTHENTICATION group.

  2. Click New User button in the upper right corner.



  3. Click Add new on the user row:

    • Name: HIAB

    • Assign roles: hiab-indexer

  4. Click Save.


Procedure in HIAB/OUTSCAN 

  1. In the HIAB click the Main Menu > Settings > Integration

  2. Select the Splunk tab in the Integrations Settings window.

    Integrations Settings Splunk


  3. Fill in the Integration settings as shown in the HIAB Integrations Settings table.

  4. Click the Save button.

  5. Click the Status button in the lower right corner to test the setup to Splunk.

    Integrations Settings Network Status


The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

Splunk Integration - HTTP Event Collector

Create an HTTP Event Collector

  1. Go to Settings on the top left menu.

  2. Click on Data Inputs in the DATA group.

    Integration_Splunk_Settings.PNG


  3. Click HTTP Event Collector in the Type row of the table.

    Splunk HTTP Event Collector



  4. Click the Global Settings button on the top right of the menu.

    Splunk Global Settings



    Splunk Edit Global Settings


  5. Click the Enabled button.

  6. Select the Enable SSL checkbox.

  7. Enter the HTTP port number.

  8. Click the Save button.

  9. Click the New Token button on the top right to create the token.

    Splunk New Token



  10. Select the HIAB index that was created in Creating Indexsection at the beginning of the configuration.

    Splunk Create Index



  11. Click the Review button to Review the configuration.

    Splunk Add Data



  12. Then click on the Submit button.

  13. Do not forget to register the Token Value given after submitting the configuration.

Procedure in HIAB/OUTSCAN

  1. In the HIAB or OUTSCAN click the Main Menu > Settings > Integration.

  2. Select the Splunk tab in the Integrations Settings window.

    Integrations Settings


  3. Fill in the Integration settings as shown in the Integrations Settings table.

    Integrations Settings

Option

Value

Enabled

Click on this field to enable the Splunk feature.

Mode

  • HTTP Event Collector - When selected, username and password is not available.

  • TCP - When selected, username and password fields are enabled.

Host

Provide your Splunk server name.

Port

Provide the management port that Splunk is using to communicate. 
Default: 8088 and 8089

Port 443 is also available.

Username

Provide username to authenticate against Splunk server.

Password

Provide password to authenticate against Splunk server.

Token

HTTP Event Collector (HEC) tokens. HEC tokens are sent in the headers of the sent data packets to authenticate them with Splunk.

Index

If the user enters an index that does not exists, it will create a new one. All events will be prefixed with the index name.

Send audit log
(HIAB only)

Check this box to send audit log entries to Splunk.

  1. Click the Save button.

  2. Click the Status button in the lower right corner to test the setup to Splunk.

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

Integrations Settings Network Status

The newly setup account only has access through the API and is only able to interact with the index, restricting its access.

Event Notifications for Splunk

Common Information Model

The Splunk CIM is a shared semantic model that focuses on extracting value from data. The CIM is an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

You can now choose to send notifications related to Findings only in CIM format.

Outpost24 name

Splunk CIM

Script Name

signature

Script ID

signature_id

Target

dest_ip

Hostname

dest_name

Bugtraq

bugtraq

Risk Level

risk

CVSS

cvss

CVE

cve

Family

Catagory

Solution Patches

MSKB

Product

vendor_product

Severity

severity

For settings, see Event Notification Module

References

Splunk Documentation




Copyright

© 2025 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.