Integrating Splunk with Jamf Protect
If you use Jamf Protect, you can send alert and log data to Splunk instead of or in addition to the Jamf Protect cloud.
Integrating with Splunk involves the following steps:
-
Configuring an HTTP event collector in Splunk.
-
Testing the HTTP event collector to confirm a successful connection.
Configuring an Action configuration to send data to your Splunk endpoint.
General Requirements
To integrate with Splunk, you need the following:
A Splunk instance
A trusted third-party SSL certificate. For more information, see the following documentation from Splunk:
Configuring an HTTP Event Collector and Token in Splunk
To allow Jamf Protect to send date and app events over HTTP, you must configure an HTTP event collector in your Splunk instance, and then create a new event collector token.
For instructions, see the Set up and use HTTP Event Collector in Splunk Web documentation from Splunk.
When configuring global settings for the HTTP event collector, make sure the following settings are used:
Testing the Event Collector Token
If the event collector token is functioning correctly, you should receive a response similar to the following:
{"text":"Success","code":0}
If you do not receive a successful response, you may need to modify your Splunk instance URL in one of the following ways:
- Splunk Enterprise—
Add "inputs-" to the beginning of your instance URL: "https://inputs-your-splunk-instance:8088/services/collector/raw"
- Splunk Cloud—
Add "http-inputs-" to the beginning of your instance URL: "https://http-inputs-your-splunk-instance:433 /services/collector/raw"
Configuring an Action Configuration
- In Jamf Protect, click Actions.
- Click Create Actions Config at the top of the screen.
- Give your Actions configuration a name and description.
- (Optional) Configure settings in the Cloud Collection Options section.
- Set the alert severity range to send to Jamf Protect Cloud by choosing a minimum and maximum alert severity from the pop-up menus.
- Configure Jamf Protect to send alert data to Splunk:
- Click the Alert Collection Endpoints button.
- Enter your Splunk endpoint in the URL field.
- Click + Add HTTP Header.
- Enter Authorization in the Header field.
- Enter your event collection token in the format of Splunk your-token in the Value field.
- Set the minimum and maximum severity levels from the Severity pop-up menus. The default severity is Low.
- (Optional) Configure additional Action configuration settings.
- Click Save.
You can now add your action configuration to a plan for deployment.