Configuring HTTPS Log Settings with Splunk

Axonius has the capability to send activity logs to a centralized log server. This can help with auditing and user and entity behavioral analytics (UEBA). Let's review how to accomplish this with Splunk.

Prerequisites - Splunk

The first step is configuring an HTTP Event Forwarder in Splunk. You can follow the instructions here:

Set up and use HTTP Event Collector in Splunk Web - Splunk Documentation

After running through this documentation, we should have a Token Value for our event collector. 

Next, we need to know how to send data to our new HTTP Event Collector on either Splunk Cloud or Splunk Enterprise.

Axonius sends JSON formatted events, so for our tests, I will use the following endpoint: http://10.20.3.4:8088/services/collector/event

We can test with curl to confirm

$ curl <http://10.20.3.4:8088/services/collector/event> -H "Authorization: Splunk bd8c4fa2-15f8-4fe5-82ff-aeeec0412d3e" -d '{"event": "hello world"}'
> {"text":"Success","code":0}

We can see our event in Splunk. 

Configuring in Axonius

Let’s enable HTTPS Logs Settings and review the configuration

HTTPS logs host will be the endpoint we validated above http://10.20.3.4:8088/services/collector/event

We can leave Port empty.

As for the Authorization header, we need to supply our Token Value from Splunk. The format in Axonius will be in the following:

Splunk bd8c4fa2-15f8-4fe5-82ff-aeeec0412d3e

As for the remaining settings, we can leave them as is or adjust them accordingly if using a proxy.

From here, our activity logs should now be flowing into Splunk from Axonius

Now that we have this configured, we can also perform other actions, such as using the Enforcement Center to push asset data from Axonius to perform SIEM enrichment.