Reference » Integrations » Splunk
Audit events can be forwarded from Conjur directly into Splunk. Since audit logs are in JSON format, Splunk can read the event and parse out every field. This makes searching Conjur logs in Splunk easy and also makes it simple to set up alerts on specific events that happen inside Conjur. For example, an alert can be sent to the security team if a user repeatedly tries to fetch a secret for which they don't have access. Forwarding Conjur audit logs to Splunk is a powerful way to inspect, detect, and act on Conjur events.
Splunk Cloud was used for this guide, but the same steps work for any recent version of Splunk.
1. Mount the audit messages file
Audit messages are written to the file
/var/log/conjur/audit.messages inside the Conjur appliance.
This file is in JSON format, with a newline separating each audit event. To make this file available for
forwarding, its directory must be mounted to the host running in the Conjur container.
$ docker run -d --restart always \ --name conjur-appliance \ -p "443:443" -p "636:636" -p "5432:5432" -p "5433:5433" \ -v /var/log/conjur:/var/log/conjur \ conjur-appliance
After initializing the Docker container, you should see the file
/var/log/conjur/audit.messages on the
host that is running the Conjur appliance.
/var/log/conjuris already mounted to the host running the Conjur container.
2. Point a universal forwarder to the file
Follow this guide to install and configure a universal forwarder on the Conjur master. Configuration management or a separate linked container can be used to automate this step.
3. Configure forwarding in the Splunk UI
Once the forwarder is set up the remaining configuration can be done in the Splunk UI.
Settings > Add Datafrom the top menubar and select
If the forwarder is configured and running, you will see an host in the list on the following page. Choose this host and add it to a server class ('conjur' is a good class name).
On the next screen, select 'Files and Directories in the sidebar and set Splunk to follow the file
Since the 'audit.messages' file is in JSON format, choose
_jsonas the source type on the next screen. Choose the index you'd like to use.
Finally, review settings and submit changes.
In a short time you will see Conjur audit events in your Splunk search dashboard.