Splunk

Send Halo Security events directly to your Splunk instance for advanced log analysis and correlation.

This integration is currently in beta.

This integration allows you to route notifications about issues, changes, and other events to your Splunk instance based on your configuration, enabling unified security monitoring across your environment.

Splunk Setup

Before configuring the integration in Halo Security, you'll need to set up an HTTP Event Collector in Splunk:

In your Splunk instance, navigate to Settings > Data inputs > HTTP Event Collector > Add New
Enter a name for your data input (e.g., "Halo Security")
Select the allowed indexes where data will be stored (e.g., "main")
After creating the HTTP Event Collector, make note of the:
1. Token Value that is generated
2. Splunk server hostname
3. HTTP Event Collector port (default: 8088)

Connect Splunk

Visit your Account > Integrations > Add
Add the Splunk integration
Enter a name for the integration
Click Save
Add the following infromation from the Splunk HTTP Event Collector you set up:
1. Splunk Server
2. Splunk Server Host
3. Splunk Server Port
Click Save Changes

Create Profiles

After connecting Splunk, you can create profiles to control how data is sent to your Splunk instance. Each profile specifies configuration details for the Splunk connection. To create a profile:

Navigate to the Profiles tab
Click the + icon
Enter a name for the profile
Configure the following settings:
- Profile Name: A name for the profile.
- Splunk Index: The Splunk index where events will be stored (must match an allowed index from Splunk setup)
Click Save

You can create multiple profiles to route different types of events to different Splunk indexes.

Create Event Rules

To send data to Splunk, create Event Rules and add your Splunk profile as an action. Visit Events > Event Rules to set up rules that determine which events are sent to Splunk.

Learn more about configuring Event Rules at:

Using the Integration

Once configured, events matching your criteria will automatically be sent to your Splunk instance. You can search for these events in Splunk using queries like:

index=main source="http:Halo Security"

To filter for specific event types:

index=main source="http:Halo Security" custom_details.key="issue-add"

PreviousPagerDuty NextAWS

Last updated 8 days ago

Was this helpful?

Splunk Setup

Before configuring the integration in Halo Security, you'll need to set up an HTTP Event Collector in Splunk:

In your Splunk instance, navigate to Settings > Data inputs > HTTP Event Collector > Add New

Enter a name for your data input (e.g., "Halo Security")

Select the allowed indexes where data will be stored (e.g., "main")

After creating the HTTP Event Collector, make note of the:

Token Value that is generated
Splunk server hostname
HTTP Event Collector port (default: 8088)

Create Profiles

After connecting Splunk, you can create profiles to control how data is sent to your Splunk instance. Each profile specifies configuration details for the Splunk connection. To create a profile:

Navigate to the Profiles tab

Click the + icon

Enter a name for the profile

Configure the following settings:

Profile Name: A name for the profile.
Splunk Index: The Splunk index where events will be stored (must match an allowed index from Splunk setup)

Click Save

You can create multiple profiles to route different types of events to different Splunk indexes.

Using the Integration

Once configured, events matching your criteria will automatically be sent to your Splunk instance. You can search for these events in Splunk using queries like:

index=main source="http:Halo Security"

To filter for specific event types:

index=main source="http:Halo Security" custom_details.key="issue-add"