Skip to main content

Splunk

You can configure Lacework to forward alerts to Splunk using an HTTP Event Collector (HEC).

Lacework forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port (for example, 8088) you must set up port forwarding.

Create a Splunk HTTP Event Collector

  1. Navigate to Settings > Data Inputs.
  2. In the HTTP Event Collector row, click + Add new.
  3. On the Select Source page:
    1. Provide a name for your token.
    2. Optionally, override the default source name and provide a description. For example, "lacework_alerts" and "HEC for Lacework Alerts"
    3. Optionally specify an Output Group.
    4. At the top of the page, click Next.
  4. On the Input Settings page:
    1. Specify a Source type or leave as automatic. Lacework sends the data as json, so you can explicitly choose _json under Structured.
    2. Choose an App Context as applicable to your Splunk design and use.
    3. Choose Indexes as applicable to your Splunk design and use.
    4. At the top of the page, click Review.
  5. On the Review page, review your inputs, and click Submit at the top of the page.

You should see the message Token has been created successfully. You will need the token, index, source and resolvable hostname or IP address of your Splunk instance.

Create a Splunk Alert Channel from the Lacework Console

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Splunk.
  5. Click Next.
  6. Follow the steps in the next section.

Create a Splunk Alert Channel

Ensure you have created your Splunk HTTP event collector as described in Create a Splunk HTTP Event Collector. Then complete the following steps:

  1. Name the channel.
  2. Enter your Splunk HEC token.
  3. Optionally enter a Splunk channel.
  4. Enter the resolvable hostname or IP address of your Splunk instance (such as https-inputs-<customer>.splunkcloud.com). Do not include the port number before https:// or http:// and exclude /services/collector at the end of the hostname or IP address.
  5. Enter the destination port for forwarding events [80 or 443].
  6. Check the SSL box if appropriate.
  7. Enter your Splunk index.
  8. Enter your Splunk source.
  9. Click Save.
  10. Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.

To test your channel, click Test. You should see a positive affirmation of the test and a single alert sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive Lacework alert notifications in Splunk.

Create a Lacework Splunk Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

Lacework forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port (for example, 8088) you must set up port forwarding.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

resource "lacework_alert_channel_splunk" "ops_critical" {
name = "OPS Critical Alerts"
hec_token = "BA696D5E-CA2F-4347-97CB-3C89F834816F"
host = "localhost"
port = "80"
event_data {
index = "index"
source = "source"
}
}

Additional information on the lacework_alert_channel_splunk resource can be found on the Terraform Registry.