Configuring Splunk to receive your audit logs

You must configure Splunk to get from fluentd over the HTTP event collector.

HTTP Event Collector (HEC)

Enable HEC.
Create an HEC token and customize it.
Enable the token.

For more information, see the Splunk documentation Opens in a new tab .

Splunk configurations and certificates

The following are default directories for configurations and certificates.

Default configuration directory - /opt/splunk/etc/system/local
Default certificates directory - /opt/splunk/etc/auth

/opt/splunk/etc/system/local includes input.conf and server.conf files that you must modify.

Add following http configuration in the input.conf file

# HEC plugin configuration
[http]
port = 8088
disabled = 0
enableSSL = 1
dedicatedIoThreads = 4
maxSockets = 50
maxThreads = 20
serverCert = <server certificates path > # For example - /opt/splunk/etc/auth/myNewServerCertificate.pem
sslPassword = <certificates password>

Add the CA certificate path to [sslConfig] in the server.conf file

[sslConfig]
sslRootCAPath = <ca certificate path> # For example - /opt/splunk/etc/auth/myCACertificate.pem

For custom configuration information, see the Splunk documentation Opens in a new tab .

For more information about certificates, see the Splunk documentation Opens in a new tab .

Restart the splunkd service

After you modify the configuration, restart the service by using the following command:

$SPLUNK_HOME/bin/splunk restart splunkd