Forwarding to Splunk

Prerequisites

Splunk event forwards originates from 18.209.200.129. To enable Sysdig to handle Splunk event forwarding, your firewall will need to allow inbound requests from this IP address.

Configure Splunk Event Forwarding

To forward event data to Splunk:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the Add Integration button.

  3. Select Splunk from the drop-down menu.

  4. Toggle the Enabled switch as necessary. By default, the new integration is enabled.

  5. Configure the required options:

    splunk.png
    1. Integration Name: Define an integration name.

    2. URL: Define the URL of the Splunk service. This is the HTTP Event Collector that forwards the events to a Splunk deployment. Be sure to use the format scheme://host:port.

    3. Token: This is the token that Sysdig uses to authenticate the connection to the HTTP Event Collector. This token is created when you create the Splunk Event Collector.

    4. Optional: Configure additional Splunk parameters (Index, Source, Source Type) as desired.

      Index: The index where events are stored. Specify the Index if you have selected one while configuring the HTTP Event Collector.

      Source Type: Identifies the data structure of the event. For more information, see Source Type.

      For more information on these parameters, refer to the Splunk documentation.

    5. Data to send: Currently, Sysdig only supports sending policy events.

    6. Select whether or not you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).

  6. Click the Save button to save the integration.

384761908.png

Here is an example of how policy events forwarded from Sysdig Secure is displayed on Splunk:

384761885.png