Then we go to Global Settings where we can enable the input. You also get a token value, that’s gonna be important later when we set up the Event Hook on the Oktaside, so copy it somewhere. We give it a reasonable sourcetype (I chose okta:eventhook:hec) and tell it what Splunk index to put the data into. The magic configuration step is to set “allowQueryStringAuth=true.”įirst, we create a new token under the Data Inputs section of Splunk Settings: A good primer for the steps needed to receive webhooks with HEC are within Luke Netto’s blog post here and this S plunk Answers post. Or, you could do something clever using name resolution, where you point the URL you ultimately use for HEC temporarily to a different host for the verification step, and then point that same URL to the “real” HEC endpoint. Customers running Splunk Cloud will need to run an on-prem heavy forwarder that communicates up to Splunk Cloud in order to do this because you don’t have access to do the Node.js shenanigans I’m going to lay down below. To set up HEC, we first use the GUI in Splunk under Data Inputs, but we’ll need to get into the command line config files before we’re all done. Stop the temporary webserver, start Splunk HEC, and try sending data.Complete the one-time-verification challenge.Create and start a temporary webserver using Node.js and Express that will respond to the one-time verification challenge using the certificates.(Optional) Generate a set of LetsEncrypt certificates, using Node.js and Express to create a temporary webserver that helps you verify you own the domain.Install a Node.js environment on your HEC instance.Set up HEC on your Splunk instance using SSL and choose a TCP port.Okta requires a “ one-time verification” step for each Event Hook and in order to do that we need to perform a clever “switcheroo” where we first run a temporary webserver that answers the “verification” POST event from Okta, and then we shut down that webserver and start up HEC. These present many different kinds of workflow integration possibilities with any system that can accept output from Event Hooks.īut! There’s a caveat to getting Splunk HEC to work properly here. What’s an Event Hook? Well, Okta can send all manner of different events, immediately, via a feature called Event Hooks (very similar to a webhook). Also, you can use your own certificates to secure the service, which is important for Okta’s Event Hooks to function properly with HEC. Tokens are used to secure the service, which optionally uses TLS 1.2. Any Splunk instance can be used as a HEC endpoint. HEC was introduced in 2016 as a high performance, agentless way of getting data into Splunk from services and applications. However, I ultimately prevailed! Here’s a writeup of my experience. When I got to Okta’s Event Hooks feature, I exclaimed “Aw, HECk!” (actually I said something a little stronger) and banged my head against my old copy of "Log4J 4 Me and U - A Complete Guide" for a few hours trying to get Event Hooks sending data properly into Splunk’s HTTP Event Collector, or HEC. To check if you Splunk Target is working, new events should be visible in the Search & Reporting app inside Splunk.įor more information about using Splunk, please refer to the Splunk documentation.This weekend I spent some time with Okta’s Identity Engine product, learning about various ways to integrate it with Splunk and other external systems. This procedure is described in more detail in the Splunk documentation: Set up and use HTTP Event Collector in Splunk Web. Theĭefault HEC token ( splunk_hec_token) is also suitable for use with the TriggerMesh event Target for Splunk. In the list of local inputs, click HTTP Event Collector.Ĭlick New token in order to generate a new token with custom settings, then take note of the value of that token. Open the Splunk web console, then navigate to Settings > Data > Data inputs. See the Kubernetes object reference for more details. When undefined, events are sent to the default index defined
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |