Aembit’s Log Stream to Splunk Security Information and Event Management (SIEM) feature enables rapid streaming of Aembit Edge event logs and audit logs directly to Splunk. This integration uses Splunk’s HTTP Event Collector (HEC) protocol to deliver comprehensive security data, enhancing threat detection capabilities, improving incident management, and streamlining compliance monitoring for your organization.
Prerequisites
Section titled “Prerequisites”Before you can stream Aembit events to Splunk SIEM, you must have an HTTP Event Collector (HEC) set up in your Splunk environment with the following attributes:
- Source Type: Miscellaneous ->
generic_single_line. - Default Index:
Default.
Use your HEC’s Source Name and Token Value in your Splunk SIEM Log Stream configuration.
To configure an HEC in Splunk, see Set up and use HTTP Event Collector in Splunk Web in Splunk’s official docs.
Create a Splunk SIEM Log Stream
Section titled “Create a Splunk SIEM Log Stream”- Log into your Aembit Tenant.
- Go to Administration in the left sidebar menu.
- Select Log Streams in the top ribbon menu.
- Click + New, revealing the Log Stream pop out menu.
- Enter a Name and optional Description.
- Select the Access Event you’d like to stream to Splunk SIEM.
- Select Splunk SIEM using Http Event Collector (HEC) as the Destination Type.
- Fill in the revealed fields:
- Splunk Host/Port - Enter the hostname or IP address and port of your Splunk host
- (Optional) Check TLS to enable TLS communication between your Splunk host and Aembit
- (Optional) TLS Verification - Select the desired option to enable TLS verification
- Authentication Token - Enter the Token Value from your Splunk HEC
- Source Name - Enter the Source Name from your Splunk HEC
- Splunk Host/Port - Enter the hostname or IP address and port of your Splunk host
- Click Save.
Once you save your Log Stream, you can view its details by selecting it in the list of Log Streams to see something similar to the following screenshot:
Monitoring logs
Section titled “Monitoring logs”After configuration, you can search and view logs that Aembit generates from the event type you selected in Splunk’s Search and Reporting page using the following search phrase:
source=<source_name>You should see results similar to the following screenshot:
Failure notifications
Section titled “Failure notifications”If your Aembit account has write privileges for Log Streams, Aembit automatically sends you and email notification when Log Stream transactions consistently fail.