Skip to main content
Version: v4.1

Send Cyral logs to Splunk

Follow the steps below to configure Cyral to output repository activity logs to your Splunk collector.

Prerequisites

  • Set up an HTTP event collector in your Splunk Web instance. Cyral will send logs to this collector. When you create it, make the following settings:
    • Enable indexer acknowledgement: No (Leave the checkbox unchecked.)
    • Source Type: JSON
    • Optionally, you can set the collector's Name to Cyral logs or similar, and you can set Source Name Overwrite to Cyral Sidecar or similar, to show these logs come from Cyral.
    • You can also create a new index for the collector to write Cyral’s logs to.

Procedure

  1. In the Cyral management console, click Integrations in the sidebar, find the the Splunk card, and click Setup or Configure.

  2. In the configuration form, click New Integration.

  3. Configure the Splunk integration:

    • Integration Name: Give your integration a unique name. You'll use this name when you configure a sidecar to send logs to this Splunk integration.
    • Host: Address of your Splunk collector that will receive log data from Cyral. This should not contain the prefix http or https. This can be a hostname or IP address, as in prod-1234.example.com or 192.0.2.22.
    • HTTP Event Collector Port: listener port of your Splunk HTTP event collector (HEC listener). The default port is 8088, but you may have chosen a different port in Splunk.
    • Access Token: After you configure your HTTP event collector, Splunk provides an access token to be used with HTTP requests to that collector. Copy this value from Splunk and paste it here.
    • Index: HTTP event collector index for grouping the logs sent by the sidecar. You create the index when you configure the HTTP event collector in Splunk.
    • TLS: If your Splunk HTTP event collector has been set to accept only TLS connections, set the TLS checkbox to ON.
  4. Click Save.

caution

Each sidecar that will send logs to this log destination will need to be deployed with its Log Integration set to the Integration Name you specified above.

When deploying new sidecars, make sure to choose the name of this Log Integration when you generate the template.

NOTE: Sidecars that are already deployed will need to be redeployed.

Next steps