Forwarding to Splunk


Event forwards originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle Splunk event forwarding.

Configure Splunk Event Forwarding

To forward event data to Splunk:

  1. Log in to Sysdig Secure as admin.

  2. From the Settings module, navigate to the Events Forwarding tab.

  3. Select Splunk from the drop-down menu.

  4. Configure the required options:

    Integration Name: Define an integration name.

    URL: Define the URL of the Splunk service. This is the HTTP Event Collector that forwards the events to a Splunk deployment. Be sure to use the format scheme://host:port.

    Token: This is the token that Sysdig uses to authenticate the connection to the HTTP Event Collector. This token is created when you create the Splunk Event Collector.

    Optional: Configure additional Splunk parameters (Index, Source, Source Type) as desired.

    Certificate: If you have configured Certificates Management tool, you can select one of your uploaded certs here.

    Index: The index where events are stored. Specify the Index if you have selected one while configuring the HTTP Event Collector.

    Source Type: Identifies the data structure of the event. For more information, see Source Type.

    For more information on these parameters, refer to the Splunk documentation.

    If left empty, each data type will have a source type. See Appendix: Data Categories Mapped to Source Types for more details.

    Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. The available list depends on the Sysidg features and products you have enabled.

    Select whether or not you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).

    Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.

  5. Click the Save button to save the integration.

Here is an example of how policy events forwarded from Sysdig Secure is displayed on Splunk:

Appendix: Data Categories Mapped to Source Types

Sysdig Data TypeSplunk Source Type
Monitor EventsSysdigMonitor
Policy Events (Legacy)SysdigPolicy
Sysdig Platform AuditSysdigSecureEvents
Benchmark EventsSysdigSecureEvents
Secure events complianceSysdigSecureEvents
Host VulnerabilitiesSysdigSecureEvents
Runtime Policy EventsSysdigSecureEvents
Activity AuditSysdigActivityAudit