Configure Gathid to forward events to Splunk
Gathid can be configured to forward events to your Splunk SIEM instance using the HTTP Event Collector (HEC) for integration.
Overview
Gathid can be configured to forward all events listed in the Gathid Log Report to your Splunk SIEM instance using Splunk's HTTP Event Collector.
This guide requests you to provide HEC URL and Token to your Gathid representative.
Summary
Steps to configure Gathid to forward log events
1. Enable the HTTP Event Collector in your Splunk instance
-
Log into your Splunk instance and navigate to Settings > Data Inputs.
- Under Local inputs, click on HTTP Event Collector
-
If tokens are not already enabled, click Global Settings.
Set All Tokens to Enabled. The default options can be accepted.
Click Save. -
2. Create an HEC Token
-
From the HTTP Event Collector page, click on New Token.
-
On the Select Source tab, Provide a name, e.g., Gathid.
Click Next.
-
On the Input Settings tab, click Review.
-
On the Review tab, click Submit.
-
The Done tab contains a newly generated Token. Copy this token and provide it to your Gathid representative along with the HEC URL.
3. Test Data Transmission (if required)
When your Gathid representative have confirmed that the HEC token has been configured, logs should begin to send to Splunk. If you have a firewall this could prevent this unless the Gathid URL's have been whitelisted. Ask your Gathid representative for the URLs of your Gathid instance.
To test transmission:
-
Use curl or a REST client
-
Test sending data to Splunk using the following example command.
curl -k "https://<splunk_server>:8088/services/collector" -H "Authorization: Splunk <your_token>" -d "{\"event\": \"Test Gathid event\", \"sourcetype\": \"json\", \"host\": \"test_gathid_event\"}"
-
Replace
<splunk_server>and<your_token>with your Splunk server address and token. -
Verify the data appears in Splunk by going to the Search & Reporting page and use the query index=<your_index>