Example: How to use Splunk to audit S3
This page describes an example for using Splunk to audit S3.
Setting up an HTTP Event Collector (HEC).
Step 1: Configure the HEC
Follow the steps in Enable HTTP Event Collector on Splunk. Since the S3 event stream is provided in JSON format, choose _json
as the data source type.
Step 2: Create a token
Follow the steps in Create an Event Collector token on Splunk to create a token WEKA will use to access Splunk as an HTTP webhook. You can create a new index or use an existing one for easy discovery/monitor/query.
Copy the created token for later use.
Step 3: Test the configuration
To validate the configuration, send a test event as suggested in the JSON request and response section.
Once completed, you can search the index you have created in Splunk and see this event.
Step 4: Configure the audit webhook in WEKA
As a cluster admin, run the following CLI command to enable the audit webhook: