Skip to main content

Splunk Alert Channel

You can configure Lacework to forward alerts to Splunk using an HTTP Event Collector (HEC).

Lacework forwards alerts to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port (for example, 8088) you must set up port forwarding.

info

Lacework does not support the use of self-signed SSL/TLS certificates for the Splunk server URL.

Create a Splunk HTTP Event Collector

Do the following:

  1. Navigate to Settings > Data Inputs.
  2. In the HTTP Event Collector row, select + Add new.
  3. On the Select Source page:
    1. Provide a name for your token.
    2. Optionally, override the default source name and provide a description. For example, "lacework_alerts" and "HEC for Lacework Alerts"
    3. Optionally, specify an Output Group.
    4. At the top of the page, click Next.
  4. On the Input Settings page:
    1. Specify a Source type or leave as automatic. Lacework sends the data as json, so you can explicitly choose _json under Structured.
    2. Choose an App Context as applicable to your Splunk design and use.
    3. Choose Indexes as applicable to your Splunk design and use.
    4. At the top of the page, click Review.
  5. On the Review page, review your inputs, and click Submit at the top of the page.

You should see the message Token has been created successfully. Copy the token, index, source and resolvable hostname or IP address of your Splunk instance.

Create a Splunk Alert Channel from the Lacework Console

Do the following:

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Splunk.
  5. Click Next.
  6. Verify that you have created your Splunk HTTP event collector as described in Create a Splunk HTTP Event Collector.
  7. Name the channel.
  8. Enter your Splunk HEC token.
  9. Optionally enter a Splunk channel.
  10. Enter the resolvable hostname or IP address of your Splunk instance (such as http-inputs-<customer>.splunkcloud.com). Do not include the port number before http:// and exclude /services/collector at the end of the hostname or IP address.
  11. Enter the destination port for forwarding events [80 or 443].
  12. Check the SSL box if appropriate.
  13. Enter your Splunk index.
  14. Enter your Splunk source.
  15. Click Save.
  16. Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.

To test your alert channel, click Test. You should see a confirmation of the test and a single alert sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive Lacework alert notifications in Splunk.

Create a Lacework Splunk Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.

resource "lacework_alert_channel_splunk" "ops_critical" {
name = "OPS Critical Alerts"
hec_token = "BA696D5E-CA2F-4347-97CB-3C89F834816F"
host = "localhost"
port = "80"
event_data {
index = "index"
source = "source"
}
}

Additional information on the lacework_alert_channel_splunk resource can be found on the Terraform Registry.