API Documentation
      Back to home
      1. Smallstep Knowledge Base
      2. API Documentation

      How to export logs to Splunk

      Smallstep provides webhooks that can be used to export logs. This guide outlines how to export them to your Splunk environment.

      1. Create an index for the logs in Splunk
        1. Settings -> Data -> Indexes
        2. Click New Index and follow the walk through
      2. Create a new Splunk HEC input
        1. Settings -> Data -> Data Inputs
        2. Click "+ Add New" next to HTTP Event Collector
        3. Enter a name
        4. Select appropriate source type, or leave as automatic
        5. Select the index you created in step 1 as both allowable and default
        6. Copy the integration token
        7. If you are using Splunk on-prem, ask your Splunk admin for the HEC URL and port
      3. Configure the Smallstep webhook
        1. Go to settings -> Webhooks
        2. Create webhook
        3. Add a name, select log type, select POST
        4. For URL: it is VERY important that you send to the /raw endpoint. Sending to the straight collector endpoint will result in failures because the Smallstep webhook JSON does not format the way Splunk is expecting.
          1. On prem - use what your Splunk admin gives you
          2. Splunk Cloud - https://http-inputs-<host>.splunkcloud.com:443/services/collector/raw
        5. Auth type: Bearer
        6. Authorization: "Splunk <your-hec-token>" (for example, if your token is abcdef-1234-ghijkl, your auth string would be "Splunk abcdef-1234-ghijkl" without quotes)