HTTP Reporting Splunk
  • 30 Mar 2021
  • 1 Minute to read
  • Dark
  • PDF

HTTP Reporting Splunk

  • Dark
  • PDF

Setting up Splunk as a HTTP SIEM Integration

The Process element has been updated in version 2.14 to include much more detail regarding the application). This change may impact reports and alerts. Please make the necessary updates.

Previously the Detail JSON would look something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"/Users/peter/Downloads/system 2.log", "process":"applicaton_name_here"}"}

Starting in version 2.14, the Detail JSON looks something like below based on the event.

{"message":"{"fid":"{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", "path":"\/Users\/username\/Pictures\/Backgrounds\/IMG_1900.JPG", "process":{"name":"dock","impname":"dock","ver":"2092.20.9","cert":{"status":"Trusted","certHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxx","signHash":"xxxxxxxxxxxxxxxxxxxxxxxxxxx","serial":"YYYYYYYYYYYYYYYY","desc":"Dock","prod":"Dock","inner":"","strong":"","original":"","executable":"file:\/\/\/System\/Library\/CoreServices\/\/Contents\/MacOS\/Dock","publisher":"Software Signing","signers":["Software Signing","Apple Code Signing Certification Authority","Apple Root CA"]}}}"}

SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.

Configuring Splunk Data Input

In the Splunk admin UI, click Settings in the top navigation bar. Then click Data Inputs. Click HTTP Event Collector


In the upper right click on Global Settings to edit and save the global configuration. SecureCircle does not require any changes in settings from the default settings, but be sure the Enable SSL and HTTP Port Number settings are updated if needed.


Click New Token in the upper right to enter a multi-step configuration wizard.

Select Source: Enter a name for the token. All remaining settings are optional are can be left as the default value.

Input Settings:
Source Type = automatic
App context = Search & Reporting (search)
Index = select the index where incoming data will be stored. Create a new index if required.

Verify configuration and click Submit


After completing the Data Input wizard for HTTP Event Collector, a new token will be generated.

Configuring SecureCircle Output

In the SecureCircle admin UI, go to Configurations > Integratrations > SIEM on the left navigation menu. For new integrations, click Add Server.

Click HTTP and enter all the information required. Examples names, ports, and domains are used below.

Field Name Value
Name Splunk HTTP
Port 8088
Path /services/collector
Message Pattern {"sourcetype": "_json", "host": "", "event": %s}
Header Information
Content-Type application/json
Authorization Splunk b7ae6510-977e-46d7-876f-d1ce9fee1f75

For the Authorization Header use 'Splunk (token created in the earlier step)'


When completed the Splunk HTTP entry will show in your SIEM integration list.


Was this article helpful?