Splunk Integration Guide
Step-by-Step Guide
-
Enable Splunk HTTP Event Collector (HEC)
- Navigate to: Settings → Data Inputs → HTTP Event Collector
-
Click on “New Token” and configure the following:
- Name: CertSecure Logs
- Source Type: _json
- Index: (create one, see below)
-
After creation, share the following details with the CertSecure team:
- HEC Token: Token string used for authentication
- HEC Endpoint URL: e.g., https://splunk.example.com:8088
- Protocol: Confirm whether HTTP or HTTPS is used
Note: If HTTPS is used, ensure that the SSL certificate used by Splunk is trusted by CertSecure’s backend.
-
Create a Dedicated Index
- Navigate to: Settings → Indexes → New Index
-
Enter:
- Index Name:- certsecure_logs
- Click Save.
- Share this index name with the CertSecure Manager admin.
-
Ensure Network Connectivity
- On the CertSecure backend server, ensure outbound access to port 8088.
-
If using firewalld, run:
sudo firewall-cmd --permanent --add-port=8088/tcp
sudo firewall-cmd –reload
-
If IP whitelisting is enabled in Splunk:
- Add the CertSecure backend’s IP to the allowed list.
Once the above prerequisites are met, follow the below steps on the CertSecure Manager platform:
-
Configure Splunk Integration in CertSecure Manager
- Login to CertSecure Manager (Admin portal).
- Go to: Utilities → SIEM Integration → Splunk.
- Click “Add Configuration”.
-
Fill in:
- HEC Endpoint URL: https://splunk.example.com:8088
- HEC Token: Paste the token from Step 1
- Protocol: HTTPS or HTTP (as used in Splunk)
- Click “Save”.
-
Validate Connection
-
CertSecure Manager will automatically attempt to connect:
- Checks token validity
- Confirms network access
- Verifies SSL certificate trust (if HTTPS)
- A message like “Connection Successful” will be shown on success.
-
-
Log Ingestion Begins
Once validated, CertSecure Manager will begin periodic log ingestion into Splunk.
- Sent in JSON format
- Tagged with appropriate source type for parsing
- Indexed under certsecure_logs
All logs will be: