Login
      Contents x
      Configure Splunk
      • 15 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Configure Splunk

      • Updated on 15 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      With Splunk, you can search and explore the telemetry that Red Canary’s Linux EDR has gathered. There are a couple of ways to enable this feature.

      Option 1: Red Canary > AWS S3 > Splunk

      Canary Exporter sends standardized telemetry to your AWS S3 bucket. This provides support for Splunk Cloud and Splunk On-prem.

      Install Splunk Cloud/On-prem instance

      Configure a Generic S3 input to collect the data into Splunk.

      IAM policy for the bucket

      {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "VisualEditor0",
 "Effect": "Allow",
 "Action": [
   "s3:PutObject",
   "s3:AbortMultipartUpload",
   "s3:ListMultipartUploadParts"
 ],
 "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/DESIRED_PREFIX/*"
 }
 ]
}

      Learn more about configuring Generic S3 inputs for the Splunk Add-on for AWS.

      If you would like to use this option, please contact Red Canary.

      Option 2: Local Collection > Splunk

      Run Canary Exporter on your endpoint to collect and spool the telemetry locally. Configure your Splunk Universal Forwarder to send the locally spooled data to your Splunk Cloud or On-prem instance.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout