Integrating Splunk with Jamf Protect

If you use Jamf Protect, you can send alert and log data to Splunk instead of or in addition to the Jamf Protect cloud.

Integrating with Splunk involves the following steps:

  1. Configuring an HTTP event collector in Splunk.

  2. Testing the HTTP event collector to confirm a successful connection.

  3. Configuring an Action configuration to send data to your Splunk endpoint.

Configuring an HTTP Event Collector and Token in Splunk

To allow Jamf Protect to send date and app events over HTTP, you must configure an HTTP event collector in your Splunk instance, and then create a new event collector token.

For instructions, see the Set up and use HTTP Event Collector in Splunk Web documentation from Splunk.

When configuring global settings for the HTTP event collector, make sure the following settings are used:

  • Tokens are enabled.
  • SSL is enabled.
  • One of the following default HTTP ports are used:
    • Splunk Enterprise

      Port 8088

    • Splunk Cloud

      Port 443

Testing the Event Collector Token

  1. Obtain the following values from your Splunk instance:
    1. Your Splunk instance URL in the following format:

      https://your-splunk-instance:8088/services/collector/raw

      Note:

      You must add /services/collector/raw to the end of your instance URL to allow Splunk to collect JSON data from Jamf Protect.

    2. Your previously created event collector token value in the following format:

      2b9e8b2d-927e-4b38-68e2-622588c39123

  2. Using the values obtained in step one, execute the following command:
    curl https://your-splunk-instance:8088/services/collector/raw -H "Authorization: Splunk 0f9b8b2d-927e-4b38-88e2-622588c39123" -d '{"event": "Hello World"}'

If the event collector token is functioning correctly, you should receive a response similar to the following:

{"text":"Success","code":0}

If you do not receive a successful response, you may need to modify your Splunk instance URL in one of the following ways:

  • Splunk Enterprise

    Add "inputs-" to the beginning of your instance URL: "https://inputs-your-splunk-instance:8088/services/collector/raw"

  • Splunk Cloud

    Add "http-inputs-" to the beginning of your instance URL: "https://http-inputs-your-splunk-instance:433 /services/collector/raw"

Configuring an Action Configuration

  1. In Jamf Protect, click Actions.
  2. Click Create Actions Config at the top of the screen.
  3. Give your Actions configuration a name and description.
  4. (Optional) Configure settings in the Cloud Collection Options section.
  5. Set the alert severity range to send to Jamf Protect Cloud by choosing a minimum and maximum alert severity from the pop-up menus.
  6. Configure Jamf Protect to send alert data to Splunk:
    1. Click the Alert Collection Endpoints button.
    2. Enter your Splunk endpoint in the URL field.
    3. Click + Add HTTP Header.
    4. Enter Authorization in the Header field.
    5. Enter your event collection token in the format of Splunk your-token in the Value field.
    6. Set the minimum and maximum severity levels from the Severity pop-up menus. The default severity is Low.
  7. (Optional) Configure additional Action configuration settings.
  8. Click Save.

You can now add your action configuration to a plan for deployment.