Splunk Service¶
Glossary¶
SPLUNK: Software used for searching monitoring and analyzing big data.
HEC: HTTP Event Controller enables you to send data events to splunk deployments over https using a token-based authentication model.
TLS: Transport Layer Security is a cryptographic protocol that provides end-to-end communications security over networks and is widely used for internet communications and online transactions.
AUDIT DATABASE: Holds all audited events in a given C1 instance.
Abount the Service¶
We created a service which pushes new logs to a Splunk instance. The service itself is fairly straightforward. It simply polls the Audit Database for new logs every 5 seconds. Upon a new log, the service wraps the logs into a Splunk Event Dto and forwards to a Splunk Event Collector. Of course all the communication TLS’d. Meaning, we communicate with the Splunk service via a certificate provided by customer. The call also needs a HEC key or token as authorization for token Splunk.