You can configure Lacework to forward alerts to Splunk using an HTTP Event Collector.
Lacework forwards events to Splunk using a destination port of either 80 or 443. If Splunk is configured to use another port, for example, 8088, you must set up port forwarding.
Create a Splunk HTTP Event Collector
- Navigate to Settings > Data Inputs.
- In the HTTP Event Collector row, click + Add new.
- On the Select Source page:
- Provide a name for your token.
- Optionally, override the default source name and provide a description. For example, "lacework_events" and "HEC for Lacework Events"
- Optionally specify an Output Group.
- At the top of the page, click Next.
- On the Input Settings page:
- Specify a Source type or leave as automatic. Lacework sends the data as json, so you can explicitly choose _json under Structured.
- Choose an App Context as applicable to your Splunk design and use.
- Choose Indexes as applicable to your Splunk design and use.
- At the top of the page, click Review.
- On the Review page, review your inputs, and click Submit at the top of the page.
You should see the message Token has been created successfully. You will need the token, index, source and resolvable hostname or IP address of your Splunk instance.
Add a Lacework Integration
After you create your Splunk HTTP event collector, return to the Lacework Console and complete the following steps:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Select Settings > Integrations.
- Under OUTGOING, select Splunk.
- Click + Add Integration.
- Name the integration.
- Enter your Splunk HEC token.
- Optionally enter a Splunk channel.
- Enter the resolvable hostname or IP address of your Splunk instance.
- Enter the destination port for forwarding events [80 or 443].
- Check the SSL box if appropriate.
- Enter your Splunk index.
- Enter your Splunk source.
- Select an alert severity level; Lacework forwards events that only meet or exceed the chosen threshold.
- Click Save.
To test your Integration, click Test Integration. You should see a positive affirmation of the test and a single event sent to Splunk with the field-value pair of 'host :login.lacework.net'. You should start to receive Lacework event notifications in Splunk.