Feed events to Splunk

You can feed data to Splunk via Mosaic Events Add-on . This plugin will help you keep track of activity by polling Event streaming API.

Step 1: Configure a management app

In your Mosaic tenant, configure a management app. Give the app a suitable name, for example, MySplunkLogStream.

Step 2: Create event streams

Before you can start feeding events to Splunk, you have to enable data collection and create event streams in Mosaic. You can create as many event streams as needed.

1. Enable event collection. Specify the type of events you want to collect.

import fetch from 'node-fetch';

async function run() {
  const query = new URLSearchParams({
    type: '<TYPE>', // Event type. One of cis, admin, risk, verify
  }).toString();

  const resp = await fetch(
    `https://api.transmitsecurity.io/activities/v1/activities/start-collect?${query}`,
    {
      method: 'PUT',
      headers: {
        Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
      }
    }
  );

  const data = await resp.text();
  console.log(data);
}

run();

2. Create an event stream. Make sure to provide a ID to identify the stream. The stream ID should be a continuous string, without spaces, and unique for each stream.

import fetch from 'node-fetch';

async function run() {
  const query = new URLSearchParams({
    type: '<TYPE>', // Event type. One of cis, admin, risk, verify
    stream_id: 'string' // Unique stream ID, without spaces
  }).toString();

  const resp = await fetch(
    `https://api.transmitsecurity.io/activities/v1/activities/stream?${query}`,
    {
      method: 'PUT',
      headers: {
        Authorization: 'Bearer <YOUR_TOKEN_HERE>' // Client access token
      }
    }
  );

  const data = await resp.text();
  console.log(data);
}

run();

Step 3: Install the plugin

You have the following options:

• Install the plugin directly from Splunk portal . This option supports both Splunk Enterprise and Splunk Cloud environments.
• Download the plugin and install it manually. This option only supports Splunk Enterprise environments and doesn't work for Splunk Cloud users.

To install the plugin from Splunk portal:

1. While logged in, go to Apps > Manage Apps , then click Browse more apps :
2. Search for Mosaic Events Add-on:
3. Click Install on the Mosaic Events Add-on tile.
4. Log in with your Splunk username and password:
5. Restart Splunk.

To install the plugin manually (only in Splunk Enterprise environments):

1. Download Mosaic Audit Log Connector for Splunk .
2. On Splunk portal, go to Apps > Manage Apps :
3. Click Install App from File :
4. Upload the file you've downloaded from Splunkbase:

After installation, the browser redirects you to the Apps page. This page now shows Mosaic on the app list.

Step 4: Configure the inputs

Now you need to launch the app and configure inputs for each stream you've created individually:

1. Launch the app from the Apps page.
2. Click Create New Input :
3. Configure inputs:
   • Name : Give the input a meaningful name, for example, Transmit_User_Events .
   • Interval : Enter polling interval in seconds.
   • Index : Use your preferred index; for example, you can choose default or main .
   • OAuth Endpoint : Token exchange endpoint: https://api.transmitsecurity.io/oidc/token (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
   • Endpoint : Use the following endpoint where {TYPE} and {STREAM_ID} are parameters configured in Step 2 : https://api.transmitsecurity.io/activities/v1/activities/collect?type={TYPE}&stream_id={ID} (use api.eu.transmitsecurity.io for the EU and api.ca.transmitsecurity.io for Canada).
   • Client ID and Client Secret : Use the values from the Management App you've created in the Mosaic portal earlier.

Step 5. Check the operation

Check how the connector works using the Search app. Include sourcetype=transmit in the search bar. If the search isn't working, restart Splunk.