Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Configure the Event Forwarder to use a hec token to connect to Splunk

EDR: How to Configure the Event Forwarder to use a hec token to connect to Splunk

Environment

  • EDR: 7.7.0 and Higher
  • Event Forwarder: 3.7.6
  • Splunk: All Supported Versions

Objective

To configure the EDR Event Forwarder to connect to Splunk using a hec token. 

Resolution

  1. Edit /etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
  2. Add or modify:
output_type=splunk
splunkout=https://<your-splunk-HEC-endpoint>:8088/services/collector/event
output_format=json

[splunk]

hec_token=YOUR_SPLUNK_HEC_TOKEN
tls_verify=false
upload_empty_files=false
bundle_send_timeout=60
http_post_template={{range .Events}}{"sourcetype":"vmware:cb:edr:json","event":{{.EventText}}}{{end}}

 

Additional Notes


 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎07-26-2022
Views:
568
Contributors