Support Center > Search Results > SecureKnowledge Details
Configure Splunk as a Log system for CloudGuard Technical Level

This article describes how to configure CloudGuard to send compliance findings to Splunk. This involves the configuration of an HTTP Event Collector on your Splunk instance and the configuration of a Posture Notification on CloudGuard.

There are many ways to configure Splunk Event Collectors (see Splunk Documentation for details). The steps below describe a typical case, for Splunk Cloud.

Configure a HTTP Event Collector on Splunk (Cloud)

  1. On your Splunk instance, navigate to Settings and select Data Input.
  2. In the Local inputs list, select HTTP Event Collector.
  3. Click New Token on the upper right.
  4. Enter a name for the event collector and click Next.
  5. In the Input Settings, select the 'main' index in the Index section, then click Review.
  6. Click Submit.
  7. Copy the Token Value.

Configure a CloudGuard Notification

  1. In the CloudGuard portal, navigate to Notifications in the Settings menu.
  2. Click Add Notification.
  3. Enter a name & description for the policy.
  4. Select Send to HTTP Endpoint in the Immediate Notification section.
  5. Copy the URL of your Splunk instance and enter this in the Endpoint URL field. Click Test to verify the connection.

  6. From the Authentication Type list, select Basic.
  7. Paste the Splunk token from the previous section in the Password field and enter any value for the  Username.
  8. Select Splunk - JSON.
  9. Select the option to use self-signed certificates.
  10. Click SAVE.

Configure CloudGuard Continuous Posture Policies to Use the Notification

To send findings to Splunk with the integration described above, the CloudGuard Notification must be associated with a Continuous Posture Policy. Follow the steps below to do this. Once this is done, findings discovered by this posture policy are sent to Splunk as soon as they are discovered (findings already sent from an earlier CloudGuard policy assessment will be not sent again).

  1. In the CloudGuard portal, navigate to Continuous Posture in the Posture Management menu.
  2. If you already have a continuous posture policy and want to send its findings to Splunk, click the menu in the leftmost column and select Edit Policy.
  3. Select the Notification Policy created above and click SAVE.
  4. Alternatively, ADD POLICY to create a new policy. Follow the steps in the CloudGuard Administration Guide to create the policy. Select the Notification created above as one of the notifications.

    Note: To send previously found findings to Splunk, select the Policy in the list on the Continuous Posture page, click the menu and select Send all alerts.

View Findings on Splunk

All new findings for this policy will be sent to Splunk.

  1. Select Search & Reporting in the main Apps menu.
  2. Click Data Summary.
  3. Click the link for your instance, for a list of CloudGuard findings. Count shows the total number of findings.

    The list shows each finding as a JSON block.

Give us Feedback
Please rate this document