# Audit Log with Splunk
This guide explains how to use Splunk with Psono's audit logging. We assume that you have followed this general
guide for audit log to configure the audit logs and see now events in your
This feature is only available in the Enterprise Edition.
# Shipping Logs
To ship your logs you have various highly specialized options that all depend on your infrastructure. We only focus here
on the most prominent one with
Splunk Universal Forwarder and Psono's custom solution with the help of
Splunk's HTTP Event Collector
# Splunk Universal Forwarder
The most prominent option is to install a
Splunk Universal Forwarder, that watches the
Instructions how to install one in general can be found here docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Installanixuniversalforwarder (opens new window)
Afterwards you can install the Splunk Add-On for Psono (opens new window). It will contain monitors for the
audit.logand health checks.
Please be aware that Psono's native Splunk implementation is not as sophisticated as a
Splunk Universal Forwarder and will lose data in the event of e.g. network issues.
Configure Splunk HTTP Event Collector
Psono's native implementation relies on the
Splunk HTTP Event Collector. Detailed information how to configure one can be found here dev.splunk.com/enterprise/docs/devtools/httpeventcollector/ (opens new window)
Please take notes of the host, port and the token.
Configure Psono server
There are a couple of variables that you need / can adjust in the
SPLUNK_HOSTThe host, e.g. an ip or a domain
SPLUNK_PORTThe port, e.g. 8088 that you configured in the splunk http event collector
SPLUNK_TOKENThe token of your splunk http event collector
SPLUNK_INDEXThe splunk index that you want the events to end up in. By default 'main'
SPLUNK_PROTOCOL'http' or 'https' to indicate the protocol. By default 'https'
SPLUNK_VERIFYTrue or False to indicate whether to verify certificates. By default True
SPLUNK_SOURCETYPEThe source type. By default 'psono:auditLog' (that one is compatible with the provided splunk addons)
Don't forget to restart the server afterwards.
More infos can be found here github.com/zach-taylor/splunk_handler (opens new window)
# Visualising Logs
We are providing here an app that contains dashboards that will help you to understand and audit all events that are recorded.
In order for the dashboards to work the logs need to have the correct source type of
psono:auditLog (the default for