Skip to main content
Documentation

Splunk

The Files.com integration with Splunk Enterprise and Splunk Cloud uses Splunk's HTTP Event Collector to send Files.com logs directly into your Splunk environment for real-time analysis. You choose which log types are forwarded.

Logs are sent in JSON format over HTTP, which is the format Splunk's data ingestion pipeline expects. The same integration works for Splunk Enterprise on-premise and Splunk Cloud.

Getting Started with Splunk Integration

Files.com uses Splunk's HTTP Event Collector (HEC)External LinkThis link leads to an external website and will open in a new tab to send audit logs and actions to a Splunk deployment over HTTP or HTTPS with token-based authentication. Generate a token in Splunk, and Files.com will transmit logs to HEC in JSON format. No Splunk forwarder is needed.

See Splunk's documentation on setting up and using the HTTP Event Collector in Splunk WebExternal LinkThis link leads to an external website and will open in a new tab for more details.

When configuring Splunk's HEC, select Automatic for the Source type if prompted. Leave the index options at their default settings. Do not enable indexer acknowledgment; it is not supported.

Configuring Files.com for Splunk Integration

When configuring the Splunk integration in Files.com, provide a Name for the integration for your records. Specify the HTTP Event Collector Host or URI (the HEC URI) from your Splunk HEC configuration as the Destination URL in Files.com. For authentication, use the HTTP Event Collector Token from the same Splunk HEC configuration as the Splunk token in Files.com.

The HEC URI format for Splunk Cloud is: <protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint> (for example, https://http-inputs-myhostname.splunkcloud.com:443/services/collector/event).

The HEC URI format for Splunk Enterprise is: <protocol>://<host>:<port>/<endpoint> (for example, https://myhostname:8088/services/collector/event).

The HEC URI varies based on the geo-region or third-party cloud platform hosting your instance, and whether you are using a Splunk trial or demo account. The http-inputs- segment may not be required for the Splunk Cloud trial version. See Splunk's documentationExternal LinkThis link leads to an external website and will open in a new tab for the correct HEC URI for your environment, which you then enter as the Destination URL in Files.com.

If you need to pass extra headers to your SIEM setup, configure them by entering each Header Name and Header Value in the Key and Value fields.

Choosing Log Types to Forward to Splunk

You can select which types of logs are forwarded to each Splunk instance. By default, all log types are enabled, and you can customize the log types collected for different instances. See the Log Types section for the available options.

Troubleshooting

If logs are not being forwarded or received in Splunk, verify that your Splunk HTTP Event Collector (HEC) endpoint and token are accurate and correctly configured in Files.com as the Destination URL and Splunk token.

If the problem continues, check for network connectivity problems or firewall rules blocking communication between Files.com and your Splunk environment. For additional information, review SIEM-related logs under External Logs by selecting SIEM as the Event Type. These logs help identify problems in the log forwarding process. If the problem persists, see Splunk's troubleshooting documentationExternal LinkThis link leads to an external website and will open in a new tab.