Splunk
Splunk is a log management and SIEM solution for storing and processing logs.
Deploy Tenzir between your data sources and existing Splunk for controlling costs and gaining additional flexibility of data processing and routing.
Send data to an existing HEC endpoint
To send data from a pipeline to a Splunk HTTP Event Collector (HEC)
endpoint, use the to_splunk
sink operator.
For example, deploy the following pipeline to forward all Suricata alerts arriving at a node to Splunk:
Replace 1.2.3.4
with the IP address of your Splunk host and TOKEN
with your
HEC token.
For more details, see the documentation for the to_splunk
operator.
Spawn a HEC endpoint as pipeline source
To send data to a Tenzir pipeline instead of Splunk, you can open a Splunk HTTP
Event Collector (HEC) endpoint using the
fluent-bit
source operator.
For example, to ingest all data into a Tenzir node instead of Splunk, point your data source to the IP address of the Tenzir node at port 9880 by deploying this pipeline:
fluent-bit splunk splunk_token=TOKEN
| import
Replace TOKEN
with the Splunk token configured at your data source.
To listen on a different IP address, e.g., 1.2.3.4 add listen=1.2.3.4
to the
fluent-bit
operator.
For more details, read the official Fluent Bit documentation of the Splunk input.
Test Splunk and Tenzir together
To test Splunk and Tenzir together, use the following Docker Compose setup.
Setup the containers
Configure Splunk
After you spun up the containers, configure Splunk as follows:
- Go to http://localhost:8000 and login with
admin
:tenzir123
- Navigate to Add data → Monitor → HTTP Event Collector
- Configure the event collector:
- Name: Tenzir
- Click Next
- Copy the token
- Keep Start searching