Skip to content

Ingesting audit events to Splunk

This article explains how to create a Splunk log ingestion channel for Afi audit logs.

To create a Splunk HEC (HTTP Event Collector) collector for log ingestion, please do the following:

Step 1 - Go to Settings → Data Inputs → HTTP Event Collector in the Splunk admin panel and enable HEC by setting All tokens to Enabled in Global Settings. Also, choose _json as the default source type since Afi sends audit events in JSON format.

Step 2 - Create and copy a new HEC token by clicking on the New Token option.

Step 3 - Create a Splunk channel on the Configuration → SIEM tab in the Afi portal with the following parameters:

  • Collector endpoint: Splunk HEC endpoint
  • Splunk token: Token from Step 2
  • Event source: Event source from Step 2
  • Source type: _json

Please note that, by default, Splunk Cloud protects its HEC endpoints with a self-signed HTTPS certificate. Ensure that you have set up a custom SSL certificate issued by a commonly accepted certificate authority (CA) on the Splunk HEC endpoint.