Configuring Splunk to receive your audit logs
You must configure Splunk to get from fluentd over the HTTP event collector.
HTTP Event Collector (HEC)
- Enable HEC.
- Create an HEC token and customize it.
- Enable the token.
For more information, see the Splunk documentation .
Splunk configurations and certificates
The following are default directories for configurations and certificates.
- Default configuration directory -
/opt/splunk/etc/system/local
- Default certificates directory -
/opt/splunk/etc/auth
/opt/splunk/etc/system/local
includes input.conf
and server.conf
files that you must modify.
Add following http configuration in the input.conf file
# HEC plugin configuration
[http]
port = 8088
disabled = 0
enableSSL = 1
dedicatedIoThreads = 4
maxSockets = 50
maxThreads = 20
serverCert = <server certificates path > # For example - /opt/splunk/etc/auth/myNewServerCertificate.pem
sslPassword = <certificates password>
Add the CA certificate path to [sslConfig] in the server.conf file
[sslConfig]
sslRootCAPath = <ca certificate path> # For example - /opt/splunk/etc/auth/myCACertificate.pem
For custom configuration information, see the Splunk documentation .
For more information about certificates, see the Splunk documentation .
Restart the splunkd service
After you modify the configuration, restart the service by using the following command:
$SPLUNK_HOME/bin/splunk restart splunkd