Skip to main content
Version: v4.16

Send Cyral logs to Splunk

Follow the steps below to configure Cyral to output repository activity logs to your Splunk collector.

Prerequisites

  • Set up an HTTP event collector in your Splunk Web instance. Cyral will send logs to this collector. When you create it, make the following settings:
    • Enable indexer acknowledgement: No (Leave the checkbox unchecked.)
    • Source Type: JSON
    • Optionally, you can set the collector's Name to Cyral logs or similar, and you can set Source Name Overwrite to Cyral Sidecar or similar, to show these logs come from Cyral.
    • You can also create a new index for the collector to write Cyral’s logs to.

Procedure

  1. Navigate to the Integrations page in the sidebar.

  2. Click Setup or Configure on the Logging card, and click the New Integration button.

  3. Select Splunk from the list of integration platforms.

  4. Configure the Splunk integration:

    • Name: Give your integration a unique name. You'll use this name when you configure a sidecar to send logs to this Splunk integration.
    • Host: Address of your Splunk collector that will receive log data from Cyral. This should not contain the prefix http or https. This can be a hostname or IP address, as in prod-1234.example.com or 192.0.2.22.
    • Port: Listener port of your Splunk HTTP event collector (HEC listener). The default port is 8088, but you may have chosen a different port in Splunk.
    • Token: After you configure your HTTP event collector, Splunk provides an access token to be used with HTTP requests to that collector. Copy this value from Splunk and paste it here.
    • Index: (Optional) HTTP event collector index for grouping the logs sent by the sidecar. You create the index when you configure the HTTP event collector in Splunk.
    • TLS: (Optional) If your Splunk HTTP event collector has been set to accept only TLS connections, set the TLS checkbox to ON.
  5. Click Create.

  6. For each sidecar that will send logs to this destination, configure the sidecar's advanced logging settings and select this integration for Data Activity Logs and/or Diagnostic Logs. For more information, see "Manage Sidecars -> Logging".

Next steps