Support Center > Search Results > SecureKnowledge Details
Integrate Splunk with CloudGuard Dome9
Solution

Integrate Splunk with CloudGuard Dome9

 

Push

Here's how to connect Splunk to CloudGuard Dome9 with a push method:

  1. Download and install the Dome9 App for Splunk
  2. Set up Dome9 to send events to SNS
  3. Set up an HTTP collector in Splunk
    - Set the sourcetype as aws-dome9 and make sure to save the token that you create
  4. Create a new lambda function with the Splunk-logging blueprint

To test and verify, pull up the Dome9 Splunk app and then log in and out of the Dome9 UI. You should see the login event populate in the Splunk Dome9 dashboard.

 

Pull

Here's how to collect events with a pull instead of a push.

  1. Set up Dome9 to send events to SNS
  2. Create a new SQS queue (e.g. dome9-events) and subscribe it to the Dome9 SNS topic you had created
  3. Download the SQS-PyPoller and follow the setup instructions (Create IAM user, Provide permissions to SQS, Set config file with proper permissions and how you would like to output the events)
  4. When you've configured the .conf file, you can choose where to output the events. Depending on where you are running this, you will need to select whether you want to dump the events to a file or syslog, but from there you can set Splunk to collect like any other local source/file.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment