Set Up the Splunk Cloud Instance to receive the alerts
To receive the events from the sensor, we will set up a HTTP Event Collector in the Splunk instance following the below steps
Login to the Splunk Instance and select the option Add Data
Click on the option Monitor
Select the option HTTP Event Collector
Enter the preferred name for the event collector and click on Next
Set the Source Type as _json
and click Review
Review the details and click on Submit
The token value for the event collector will be listed in this step. Copy and update the same in the file /etc/capsule8/capsule8-sensor.yaml
The details of the Event Collector can be viewed from Settings -> Data Input
Click on HTTP Event Collector
We can add a new token or view the details of the tokens that were created already
Some versions of Splunk do not enable the HTTP Event Collector tokens by default. If the Status column shows "Disabled", click "Global Settings" and "All Tokens: Enabled".
The token should have "Enable Indexer Acknowledgement" unchecked. This is found in Actions > Edit on the token details. If checked, it causes an error "Data channel is missing".
Configuring the Sensor to send Alerts to a Splunk Cloud Instance
Update /etc/capsule8/capsule8-sensor.yaml
and add the output type webhook
as shown below.
alert_output:
outputs:
- type: webhook
enabled: true
url: https://<splunk-cloud-instance>:8088/services/collector/event
template: '{"event": {{AlertJSON .}}}'
headers:
"Authorization": "Splunk <token>"
"Content-Type": "application/json"
url:
Splunk instance URL followed by :8088/services/collector/event
token:
Splunk token can be obtained while setting up the http event collector from the section
Restart the sensor after updating the /etc/capsule8/capsule8-sensor.yaml
$ sudo systemctl restart capsule8-sensor
Now the sensor should be set up to send the alerts to Splunk Cloud Instance
Comments
0 comments
Please sign in to leave a comment.