Sending Logs to Splunk Enterprise and Splunk Cloud

Axis Security supports sending logs to Splunk Enterprise and Splunk Cloud.

Installation in Axis Security

Prerequisites

  • Splunk Cloud or Enterprise Administrator access to install the Axis Security Technical Add-on (TA) and add a Data Input.
  • Axis Administrator access to create a Splunk API key.

Creating Log Streaming to Splunk

  1. Go to Settings-> Log Streaming -> New Log Streaming.
  2. Select Splunk.
  3. Configure the following options:
    Name: Add a meaningful name for the Splunk Integration.
    Description: Add a description.
  4. Click Submit.

New Log Streaming

  1. Download Application.
  2. Copy the API key. Note: Once the window is closed, the code will no longer be available.
  3. Click OK.
3526

📘

Note

To commit your changes, navigate to the top-right menu, click Apply Changes, then select Commit Changes.

Sending Logs to Splunk Enterprise

  1. In Splunk, click the cog wheel in the upper left corner.
1762
  1. Click Install app from file in the upper right corner.
2560
  1. Click the Choose File option to upload the file downloaded from Management Console (“axis_splunk_app.zip”)
922
  1. Click Settings-> Data inputs.
696
  1. Click Add new next to Axis Security modular input.
922
  1. Provide a name, paste the token (API key) copied from the Management Console, and enter a value for logs severity- the minimum severity for writing the Splunk application’s logs.
1222
  1. You can change index by checking More settings and inserting your preferred index (the default index is “main”).
  2. In your Splunk main page you should now see “Axis Security” integration.
392

Sending logs to Splunk Cloud

Verifying Your Splunk Experience

Note: If you are using the Victoria experience, refer to the known issues section.

To verify your Splunk experience- Classic or Victoria:

  1. Log in to the Splunk Cloud Platform.
  2. Go to Support & Services-> About.
1656 1532

Configuring the Axis App in Splunk Cloud

To configure the Axis App:

  1. Go to Apps-> Browse More Apps
  2. Search for “Axis”
  3. Click Install. If it is already installed, click Open App.

📘

Note

You will be prompted to restart the Splunk Server after installing. This is not required.

2088
  1. Go to Settings-> Data Inputs.
1818
  1. Find the Axis Security input type and click +Add New.
1940
  1. Enter a name.
  2. Paste the API token from the Axis configuration into the Secret token field.
  3. Check the box for More settings to change the Host or Index used for the Axis logs.
  4. Click Next.
1502

To view the data:
Go to Settings-> Data Inputs-> Axis Security.

1818

Known Issues

In the Victoria experience, the Axis Security Data Input might not appear.

To go to the Axis Security Data Input configuration page, use one of the following methods:

1948

Using Splunk Logs

  1. Click on the Axis Security icon in your Splunk main page.

  2. Click on Data Summary.

480
  1. Select either Hosts or Sources (either “activityLog” or “auditLog”) or search for the relevant index in the search bar.

  2. You should now see your Axis Security’s activity and audit log information.

936

Universal Forwarder

Installation

Note: When using Splunk Universal Forwarder keep in mind that you need to update the Axis Splunk app version manually since Universal Forwarder does not support auto update from SplunkBase.

Since forwarder has no UI the installation requires access to the forwarder’s server.

Extract the package. Run the command (notice the parameters):
tar xvzf <tar_folder>/axis_splunk_app.tar.gz -C <path_to_forwarder>/etc/apps

Configure input. Edit the file:
<path_to_forwarder>/etc/apps/axis_splunk_app/default/inputs.conf

Choose a name for your input and append the lines at the end:
axis_splunk_app://YourInputName]
token = <your_access_token>
index = <your_index> (Optional. Default value - “main”)

Restart Splunk Forwarder. Run the command:
<path_to_forwarder>/bin/splunk stop
<path_to_forwarder>/bin/splunk start

Troubleshooting Sync Issues

The Log Streaming table provides the following sync status information:

SyncedLog has synced successfully
Sync in progressLog is currently syncing
Pending initial syncLog has not synced yet
Not synced Log has not synced recently, there may be a temporary sync issue. Indicates the time since the last successful sync

If the integration sync indicator is red, take the following action:

  • Splunk Cloud and Splunk Enterprise: Disable and then enable the Axis input.
  1. Go to Settings --> Data Inputs --> Axis Security
  2. Click Disable and then Enable.
  • If the issue was not solved, in the Search, search for index="_internal" sourcetype="splunkd" axis_splunk_app and contact Axis Support: [email protected] with the information