Splunk Connector

This guide covers implementing Descope's Splunk connector. Splunk is a data platform for searching, monitoring, and analyzing machine-generated logs in real time.

Descope enables you to automatically collect authentication logs and audit events and forward them to your Splunk instance for centralized analysis and security monitoring.

Configure Splunk connector

Navigate to the Connectors page in the Descope Console and select Splunk to create a new Splunk connector.

The following parameters are required to use it:

Connector Name: Provide a unique name for your connector. This assists in distinguishing it, especially when multiple connectors are derived from the same template.
Connector Description: Briefly explain the purpose of this connector (optional).
HTTP Event Collector Token: An HTTP Event Collector token configured on your Splunk instance.
HTTP Event Collector URL: The URL to be used accessing your Splunk instance, including the appropriate port.
Index: An index to use for all events sent to Splunk (optional)
Stream Audit Events: Select which events are sent to Splunk. Descopers can allow all audit events or filter them based on certain actions that occur or tenants in the project.
Stream Troubleshooting Events: Decide whether troubleshooting events are also sent to Splunk.

Creating Your HTTP Event Collector (HEC) in Splunk

In Splunk, navigate to Settings and select Data Inputs under DATA.

Click + Add new next to “HTTP Event Collector”. Add a name for your HEC and then click the green Next > button at the top of the screen.

Under Source type, navigate to Select and find _json in the dropdown menu. Under Index, select main, or another specific index that you desire to use. Then click the Review > button at the top of the screen.

After confirming all of the configurations are correct, click the green Submit > button at the top of the screen.

Obtaining Your HEC Token

After you have successfully created your HTTP Event Collector, you will be brought to a screen which will display the token associated with your HEC. Copy this token and paste it into the HTTP Event Collector Token field in your Descope Splunk Connector.

Note

You can also get the token value of any of your existing HEC's at any time by navigating to Settings > Data inputs > HTTP Event Collector.

Configuring Your HEC URL

For Splunk Enterprise accounts, use the following URL scheme:

<protocol>://<host>:<port>

Protocol: https if SSL is enabled on your HEC Global Settings, http otherwise.
Host: the Splunk instance that runs the HEC.
Port: 8088 by default, unless you change it in the HEC Global Settings.

For Splunk Cloud Platform accounts, use the following URL schemes:

For Splunk Cloud Platform free trials:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>

For Splunk Cloud Platform on AWS:

<protocol>://http-inputs-<host>.splunkcloud.com:<port>

For Splunk Cloud Platform on Google Cloud or Azure:

<protocol>://http-inputs.<host>.splunkcloud.com:<port>

For Splunk Cloud Fedramp Moderate on AWS Govcloud:

<protocol>://http-inputs.<host>.splunkcloudgc.com:<port>

Protocol: either https or http.
Host: the Splunk instance that runs the HEC.
Port: 8088 on Splunk Cloud Platform free trials, 443 by default on Splunk Cloud Platform instances

Viewing Audit Logs

Now the audit logs are viewable in Splunk. The connector can be tested while configuring it so you can ensure the logs are being sent and collected properly.

The logs can still be viewed in Descope under the Audit and Troubleshoot section of the Descope Console.

Was this helpful?