This post was co-authored by Sr. Technical Marketing Manager, Chris McClanahan.
Log Intelligence is VMware’s new log analytics SaaS solution that provides real-time visibility into infrastructure and application logs across private clouds and AWS, including VMware Cloud on AWS.
I have been asked a few times how to forward events from Log Intelligence to other SIEM or log solutions like Splunk. In this blog we will use the webhook feature of Log Intelligence to send specific notifications to Splunk.
Below are the steps to setup Splunk to receive webhook notifications from Log Intelligence.
Requirements:
- A Splunk environment that can be hit from the internet on the port you select in the webhook-input configuration. In most cases you would put a Splunk search head in your DMZ that has an exposed port or NAT port exposed to the internet.
- A Log Intelligence instance.
High-Level Diagram:
Steps:
1. In your Splunk environment you will want to add the webhook-input app. Download this application here.
2. Install the app in Splunk, following the provided instructions:
3. Once the app is installed, configure a new data input:
– In Splunk go to Seettings/Data Inputs
– Add a new WebHook
4. Configure the new webhook
– Name = Enter a friendly name for the webhook
– Port = Enter the port you want the webhook receiver to listen on (in this example I used port 5656).
– Path = Enter /LInt/*
– Under “more settings”, change the host field to Log Intelligence.
5. In Log Intelligence, go to the Webhook Configuration screen:
6. Create a new webhook in Log Intelligence:
- Name the Webhook (example Splunk Alert)
- Destination URL:
Enter the URL to the Splunk Webhook-Input. This URL has to be a FQDN and cannot be an IP address. Ensure to put the port you select for the webhook-input configuration. Ensure to include the path you entered on the webhook-input configuration. (Example: http://webhook.mysplunk.com:5656/LInt/)
- Enter the payload:
(i) {“text”:”${name} \n ${resultsUrl} \n ${sourceInfo} \n ${description} \n ${triggeredAt} \n Alert to Splunk”}
7. Save the webhook and select ‘Send Test’
8. You can now go to your Splunk search head and look for the test alert to ensure that webhook alert has been received:
Request access to the Log Intelligence Hands-on Lab to try it for yourself, or request access to Log Intelligence today.
