Integrate with Splunk

Integrate StackRox with Splunk.

If you are using Splunk, you can forward alerts from the StackRox Kubernetes Security Platform to Splunk and view vulnerability and compliance related data from within Splunk. This topic explains how to integrate the StackRox Kubernetes Security Platform with Splunk.

Depending on your use case, you can integrate the StackRox Kubernetes Security Platform with Splunk by using the following ways:

  1. By using an HTTP event collector in Splunk
    • Use the event collector option to forward alerts and audit log data.
  2. By using the StackRox Kubernetes Security Platform add-on.
    • Use the add-on to pull vulnerability detection and compliance data into Splunk.

You can use one or both of these integration options to integrate the StackRox Kubernetes Security Platform with Splunk.

The StackRox Kubernetes Security Platform add-on is only available if you are using the StackRox Kubernetes Security Platform version 3.0.51.0 or newer.

HTTP event collector

StackRox events in Splunk
StackRox events in Splunk

To forward alerts from the StackRox Kubernetes Security Platform to Splunk:

  1. Add a new HTTP event collector in Splunk and get the token value. See Configure Splunk.
  2. Use the token value to setup notifications in the StackRox Kubernetes Security Platform. See Configure the StackRox Kubernetes Security Platform.
  3. Identify policies for which you want to send notifications, and update the notification settings for those policies. See Configure policy notifications.

Configure Splunk

Add a new HTTP event collector for your Splunk instance, and get the token.

To add a new HTTP event collector in your Splunk instance:

  1. Navigate to Settings > Add Data.
    Add HTTP event collector in Splunk
    Add HTTP event collector in Splunk
  2. Select monitor.
  3. On the Add Data page, select HTTP Event Collector.
  4. Enter a Name for the event collector and then select Next >.
  5. Accept the default Input Settings and select Review >.
  6. Review the event collector properties and select Submit >.
  7. Note down the Token Value for the event collector.

Enable HTTP event collector

You must enable HTTP Event Collector tokens before you can receive events. To enable these tokens in your Splunk instance:

  1. Navigate to Settings > Data inputs.
  2. Select HTTP Event Collector.
  3. Select Global Settings.
  4. In the dialog that opens, select Enabled and then select Save.

Configure the StackRox Kubernetes Security Platform

Create a new integration in the StackRox Kubernetes Security Platform by using the token value.

  1. Go to Platform Configuration > Integrations.

  2. Scroll the view and select Splunk.

  3. Select the New Integration icon.

  4. Enter a name for Integration Name.

  5. Enter your Splunk URL in the HTTP Event Collector URL box. You must also specify the port number if the port isn’t 443 (for HTTPS) or 80 (for HTTP) and the URL path /services/collector/event. For example, https://<splunk-server-path>:8088/services/collector/event.

    For the StackRox Kubernetes Security Platform version 3.0.39 and newer, instead of entering the full URL, you can specify the HTTP Event Collector URL as:

    • https://<splunk-server-path>:<port-number>,
    • <splunk-server-path>:<port-number>, or
    • http://<splunk-server-path>:<port-number>.

    You can also skip the port number if you are using the port number 443 (for HTTPS) or 80 (for HTTP).

  6. Enter your token in the HTTP Event Collector Token box.

    If you are using the StackRox Kubernetes Security Platform version 3.0.57 or newer, you can specify custom Source Type for Alert events and Source Type for Audit events.

  7. Select Test (checkmark icon) to confirm that the integration with Splunk is working.

  8. Select Create (save icon) to create the configuration.

Configure policy notifications

  1. Navigate to Platform Configuration > System Policies.
  2. Select the check boxes for one or more policies for which you want to send alerts.
  3. Select Enable Notifications or Actions > Enable Notification (depends upon the StackRox Kubernetes Security Platform version you are using).
  4. In the Enable Notifications dialog, select the check box for the Splunk notifier (same as the Integration Name). If you haven’t configured any other integrations, you’ll see the message No notifiers configured!.
    Configure policy notifications
    Configure policy notifications
  5. Select Enable.
  • The StackRox Kubernetes Security Platform sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.

  • Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you won’t receive a notification unless a violation generates a new alert. The StackRox Kubernetes Security Platform creates a new alert when:

    • a policy violation occurs for the first time in a deployment, or
    • a runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for that policy in that deployment.

StackRox Kubernetes Security Platform add-on

Vulnerability data in Splunk
Vulnerability data in Splunk

To get the vulnerability detection and compliance related data from the StackRox Kubernetes Security Platform to Splunk:

  1. Generate an API token in the StackRox Kubernetes Security Platform for the add-on.
  2. Install and configure the StackRox Kubernetes Security Platform add-on in Splunk.

Generate an API token

  1. Generate an API token with an Analyst role. See the generate an access token instructions for more details.
  2. Note down the generated token, you will need this token to configure the StackRox Kubernetes Security Platform add-on.

Install and configure the add-on

You can install the StackRox Kubernetes Security Platform add-on from your Splunk instance:

  1. Download the StackRox Kubernetes Security Platform technology add-on from Splunkbase.
  2. Navigate to the Splunk home page on your Splunk instance.
  3. Navigate to Apps > Manage Apps.
  4. Select Install app from file.
  5. In the Upload app pop-up, select Choose File and select the StackRox Kubernetes Security Platform add-on file.
  6. Select Upload.
  7. Select Restart Splunk, and confirm to restart.

After Splunk restarts, you must configure the StackRox Kubernetes Security Platform add-on inputs:

  1. From the Apps menu, select StackRox.
  2. Select Create New Input.
  3. Either select StackRox Compliance to pull compliance data or StackRox Vulnerability Management to pull vulnerability data into Splunk.
  4. Enter a Name for the input.
  5. Select an Interval to pull data from the StackRox Kubernetes Security Platform. For example, every 14400 seconds.
  6. Select the Splunk Index to which you want to send the data.
  7. For Central Endpoint, enter the IP address or the name of your Central instance.
  8. Enter the API token you’ve generated for the add-on.
  9. Select Add.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.