Send Cyral logs to Splunk
Follow the steps below to configure Cyral to output repository activity logs to your Splunk collector.
Prerequisites
- Set up an HTTP event collector in your Splunk Web
instance.
Cyral will send logs to this collector. When you create it, make the following
settings:
- Enable indexer acknowledgement: No (Leave the checkbox unchecked.)
- Source Type: JSON
- Optionally, you can set the collector's Name to Cyral logs or similar, and you can set Source Name Overwrite to Cyral Sidecar or similar, to show these logs come from Cyral.
- You can also create a new index for the collector to write Cyral’s logs to.
Procedure
Navigate to the Integrations page in the sidebar.
Click Setup or Configure on the Logging card, and click the New Integration button.
Select Splunk from the list of integration platforms.
Configure the Splunk integration:
- Name: Give your integration a unique name. You'll use this name when you configure a sidecar to send logs to this Splunk integration.
- Host: Address of your Splunk collector that will
receive log data from Cyral. This should not contain the prefix
http
orhttps
. This can be a hostname or IP address, as inprod-1234.example.com
or192.0.2.22
. - Port: Listener port of your Splunk HTTP event collector (HEC listener).
The default port is
8088
, but you may have chosen a different port in Splunk. - Token: After you configure your HTTP event collector, Splunk provides an access token to be used with HTTP requests to that collector. Copy this value from Splunk and paste it here.
- Index: (Optional) HTTP event collector index for grouping the logs sent by the sidecar. You create the index when you configure the HTTP event collector in Splunk.
- TLS: (Optional) If your Splunk HTTP event collector has been set to accept only TLS connections, set the TLS checkbox to ON.
Click Create.
For each sidecar that will send logs to this destination, configure the sidecar's advanced logging settings and select this integration for Data Activity Logs and/or Diagnostic Logs. For more information, see "Manage Sidecars -> Logging".
Next steps
- For more about monitoring a data repository, see Monitor all data activity from users and services.
- To understand log contents and configuration, see Sidecar Logging.
- Learn more about logging preferences.