Skip to main content

Site CollectorSite Collector Administration Guide

Set Up Splunk Collector

If you use Splunk as a SIEM, you can set up the Splunk collector to retrieve logs from your Splunk server or Splunk Cloud. The Splunk collector is a set of Site Collector flows, pre-built processors, groups, custom processors, other components, and integrations that pull logs in plain text, JSON, or Windows multiline format from your Splunk server and push the logs to Exabeam Security Operations Platform.

To set up a Splunk collector:

  1. Log in to the Exabeam Security Operations Platform with your registered credentials.

  2. Navigate to Collectors > Site Collectors.

  3. Ensure that Site Collector is installed and in running state.

  4. On the Site Collector page, click the Collectors Library tab, then click Splunk.

    Site_Collector__Collector_Library.png
  5. In the Definition section, enter the required information as follows.

    Splunk_updated_1.png
    • Collector Name – Specify a name for the Splunk collector.

      Note

      Ensure that you specify different names for Site Collector instance and the collector.

    • Site Collector Instance – Select the site collector instance for which you want to set up the Splunk collector.

    • Splunk Hostname or IP – Enter the IP address of the Splunk server or Splunk Cloud from which you want the Splunk collector to pull logs.

    • Port – Enter the port number of your Splunk server. The default port is 8089.

  6. Click Next.

  7. In the Authentication section, enter the required information as follows.

    Splunk__updated_2.png
    • Authentication – Select the authentication method, Login Pass or Token for the Splunk collector to connect to the sever.

      If you select Login Pass, enter the login name and password that you already set for the Splunk server.

      If you select Token, enter the token number that you set for the Splunk server to authenticate.

    • Protocol – Select the protocol http or https.

      For https, select the appropriate option such as none, SSL, TLS v1, TLS v1.1, and TLS v1.2 to securely pull the data.

  8. In the Data section, enter the required information as follows.

    Splunk_Updated_Data_section_-_Copy.png
    • Splunk Query – Enter the Splunk query to specify the type of data that you want to pull. For example: To fetch logs from the Splunk server, use the query: index = *.

      To prevent data loss, use time modifiers such as earliestnow, and latest in your Splunk query with caution as it may cause conflict with collector’s internal clock.

      Note

      Verify the accuracy for your Splunk query through the Splunk CLI. Make sure that logs are returned based on your Splunk query that corresponds to the event type correctly.

    • Splunk Fetch Timestamp – Select the time and date from when you want the collector to fetch logs. By default current date and time is selected. If you want to select a threshold to include events to be ingested from the past, select a date previous to the present date. You can select a date which is backdated to 30 days.

      If you want the Splunk collector to pull large amount of historical data, create two separate Splunk collector instances: one is for live data pull and the other for historical data pull, to ensure precision.

    • Splunk Fetch Interval – Select the time interval within which you want the Splunk collector to pull logs. For example: 30 sec, 1 min, 2 min, 3 min, 4 min, and 5 min.

      Caution

      The Splunk Collector instance can fetch data at 5.5k EPS starting with oldest historical data first until present time. If the historical data was generated at a higher rate than the maximum EPS that Splunk Collector supports, it is recommended to create two separate Splunk Collector instances: one instance for fetching the historical data and the other for current data.

      For optimum performance, set smaller fetch time interval when you want to push data at very high EPS.

  9. Click Setup.

    The Splunk collector is set up and is ready to pull logs from your Splunk server.

    After the Splunk collector is set up, Site Collector Core starts pulling logs periodically based on the query entered by the user and uploads logs to Exabeam Security Operations Platform. If the Splunk server is not available, Site Collector core resumes pulling logs from the place where it stopped. Site Collector supports the following three types of logs out of the various types of logs supported by the Splunk server.

    • Windows multiline

    • Plain text (Syslog one-line events)

    • JSON (one-line JSONs)

    In case of installation failure, the collector is disabled, and the configuration is saved. The status of the collector can be checked on the UI or using the support package.

    Note

    • Site Collector supports Splunk Cloud.

    • The Splunk Collector fetches the Splunk metadata fields: _time, sourcetype, and host in addition to the _raw field.

    • Splunk collector supports Splunk SDK 1.9.5 with the latest API version for better security and seamless integration with Splunk server.