Splunk can be hosted in the cloud or on-premises. If you are running managed Splunk Cloud, you will need to raise a ticket with your Splunk support to have HEC configured.
For self-service Spunk, or Splunk Enterprise (on-premises) the following instructions will help you configure HEC to receive webhooks from Mist.
About HEC:
HEC or HTTP Event Collection is a method by which Splunk can receive an HTTP post with a payload of data. This enables cloud services like Mist to send it data via webhooks. Webhooks require IP reachability from the Mist Cloud. This means you need a publicly accessible URL for your Splunk server with an open port.
For self-service Splunk Cloud, this is already achievable. For Splunk Enterprise, you may need to work with your Splunk architect and/or security team to ensure you can safely get webhooks to Splunk instance running HEC.
Setting up HEC in Splunk
- Go to Settings > Data Inputs
- Go to HTTP Event Collection > Add New
- Provide a Name, Source Name. If your organization leverages Output Groups, select the appropriate output group. Otherwise, ignore Output Group.
- Click Next
- Under Input Settings, for sourcetype specify _json. For App Context, specify Search and
Reporting. For index, choose the appropriate index or create a new index. In the example, we have a “network” index we will use for this example
- Click Review
- Verify the settings and click Submit
- Record the token value, you will need this for the Mist Webhook.
- Navigate back to Settings > Data Inputs > HTTP Event Collection 10.
- In the upper-right corner select “Global Defaults”
- Specify the default sourcetype of _json. The port 8088 is the default. You can specify a default index if needed.
- At this point you should have HEC setup in splunk.
- You can test that this works by performing the following:
curl -k 'https://<FQDN OF SPLUNK>:<HEC PORT>/services/collector' \ --header "Authorization: Splunk <HEC TOKEN>" \ --data '{"event": "hello world"}' - You should receive something similar to the following: {“text”:”Success”,”code”:0}
- If you receive a Success, you have successfully setup HEC in Splunk.
- If you are not successful, you may have to check to ensure that there are not firewall
rules impacting your HEC port on the Splunk instance.
Configure Mist Webhooks to point to splunk:
At this stage you should have 3 things needed to configure the webhook:
- FQDN of your Splunk HEC instance
- Port HEC is listening on (Default is 8088)
- Splunk HEC Token
You can configure webhooks in Mist at either the Org level, or the Site level. For this example, we will be configuring an Org level webhook and the topics we will be subscribing to will be “audits”, “alarms”, “device-events”.
-
-
- Start by logging into your Mist dashboard.
- Find your `org_id` by navigating to Organization > Settings.
- Click the copy button next to the box Organization ID.
- Navigate to your org webhooks by visiting:
https://api.mist.com/api/v1/orgs/:org_id/webhooks
Note, you will have to substitute :org_id with your actual org_id. Juniper Business Use Only - Construct the payload for your webhook replacing values in <> with the values from
above.
{ "name": "Splunk Webhook", "type": "splunk", "url": "https://<FQDN of SPLUNK>:<PORT>/services/collector", "splunk_token": "<SPLUNK TOKEN>", "enabled": true, "topics": [ "audits", "alarms", "device-events" ], "verify_cert": true}- Place the constructed payload in the box at the bottom of the page and click POST.
- Verify that you now see the submitted configuration in the top field and that you have the “id” field.
At this point, you should have webhooks enabled and pointed to your Splunk HEC.
References used in this guide:
Setup and use HTTP Event Collection:
https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/UsetheHTTPEventCollector
Mist API Documentation for Webhooks:
-