Integrate Splunk with Dome9

In this topic:

    Push

    Here's how to connect Splunk to Dome9 with a push method:

    1. Download and install the Dome9 App for Splunk
    2. Set up Dome9 to send events to SNS
    3. Set up an HTTP collector in Splunk
      - Set the sourcetype as aws-dome9 and make sure to save the token that you create
    4. Create a new lambda function with the Splunk-logging blueprint

    To test and verify, pull up the Dome9 Splunk app and then log in and out of the Dome9 UI. You should see the login event populate in the Splunk Dome9 dashboard.

    Screen_Shot_2018-07-09_at_1.15.22_PM.png

    Screen_Shot_2018-07-09_at_1.15.41_PM.png

    Pull

    Here's how to collect events with a pull instead of a push.

    1. Set up Dome9 to send events to SNS
    2. Create a new SQS queue (e.g. dome9-events) and subscribe it to the Dome9 SNS topic you had created
    3. Download the SQS-PyPoller and follow the setup instructions (Create IAM user, Provide permissions to SQS, Set config file with proper permissions and how you would like to output the events)
    4. When you've configured the .conf file, you can choose where to output the events. Depending on where you are running this, you will need to select whether you want to dump the events to a file or syslog, but from there you can set Splunk to collect like any other local source/file.