Splunk SIEM Integration Guide Nile
The Nile Service Block (NSB) integrates with Splunk via Splunk’s HTTP Event Collector (HEC), to export NSB security events – audit logs and user device events – to Splunk for log analysis and archiving by the customer.
- Cloud Splunk instance, or an on-premises Splunk instance, with access from Nile cloud.
- Administrative log in to Spunk instance.
- Administrative log in to Nile Portal.
Nile Service Block supports only signed SSL certificates, or HTTP access with no SSL. Self-signed HTTPS certificates are not acceptable.
Log in to Splunk instance as an administrator.
Navigate to Settings then Select Data inputs from the DATA section.
Click on the + Add new link to create a new HTTP event collector (HEC).
Type a descriptive name for the collector – in this example, we will use “nile_test”.Keep all other values at their default value (“optional”). The, click the Next button
Keep the Source Type as Automatic;Keep the index as “main”.NOTE: HEC data will be stored at by default in the main index; you can create a specific index by clicking on the Create a new index This can be changed at any time. This example uses the main index; in production, use a sandbox index first then change the setting later.
The, click the Review button.
Verify the HTTP Event Collector configuration. Then, click the Submit button.
Copy the contents of Token Value, and save it in a text file for later use in the Nile Portal settings.(Example here is “55344676-48db-4a9a-a522-23b95C”.), then Click the Start Searching button.
Enter a search string; in this example,source=”http_test” (index=”main”)
After creating the HTTP Event Collector, enable the Collector, and configure the URL port and SSL options.
From the Data section, click the Data inputs link, then click on HTTP Event Collector link.
In the HTTP Event Collector page, click on Global Settings button.
Enter these values into the formAll Tokens: click on EnabledEnable SSL: check (HTTPS) or uncheck (HTTP) the checkboxHTTP Port Number: 8088 (default).Keep all other settings in their default value.
Click the Save button.
This example shows that SSL is disabled, and the port number is the default value.
Important Note: The SSL and Port Number setting is a global setting, and will affect all HTTP Event Collectors.
Login to Nile portal — https://u1.nile-global.cloud/ — using an admin account. Then, Navigate to (Settings button) → Global Settings tab → Integration subtab.
Click on ⊕; a new popup window will open, then click on Splunk.
Fill out Splunk information:
- Token: Copy and paste the token saved when creating the Splunk HEC
- URL: Enter the Splunk cloud URL plus the port number
Click the Next button.
Select, by clicking on the checkboxes, if Audit, User Device Events, and/or Alerts need to be sent to Splunk.
Click the Save button to save the settings.Click on Splunk, then click on ↔, to test the connection
If the test is successful, the collector status will change to UP (Green). if it fails it will show up as DOWN (red).
To modify Splunk URL or Token, click on (pen); to delete Splunk integration, click on (trash)
- Login to Splunk instance as administrator.
- In the top menu, click on Search elementUse the HEC name as a source,the index name for the specific index, andthe filter for searching for specific data.For this example, the HEC name is “nile_test”, the index name is “main”, and the filter is: source=”http_test” (index=”main”)
Use a topic name to display only audits or user device events
Examples:source=”http_test” (index=”main” , topic”audit”)source=”http_test” (index=”main” , topic”userdeviceevents”)
