Amazon EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications. EventBridge will automatically deliver the events in near real-time. You can use Amazon EventBridge to route events from sources like homegrown applications, AWS, and third-party software to consumer applications across your organization. Amazon EventBridge offers a simple and consistent way to ingest, filter, transform, and deliver events and findings from AWS security services such as Amazon GuardDuty, Amazon Security Hub, AWS CloudTrail, AWS Config, and more.
By leveraging Amazon EventBridge, Splunk users can receive security events and operational logs with minimal latency, ensuring timely insights and proactive monitoring.
This blog explains how you can set up Amazon EventBridge to ingest events and findings from AWS in near real-time to Splunk over HEC (HTTP Event Collector).
Amazon EventBridge setup for Splunk requires you to set up an API destination target. Amazon EventBridge API destinations are HTTP endpoints that you can invoke as the target of an event bus rule, or pipe, similar to how you invoke an AWS service or resource as a target. Using API destinations, you can route events between AWS services, integrated software as a service (SaaS) applications, and public or private applications by using API calls. When you specify an API destination as a rule or pipe target, EventBridge invokes the HTTP endpoint for any event that matches the event pattern specified in the rule or pipe and then delivers the event information with the request. With EventBridge, you can use any HTTP method except CONNECT and TRACE for the request. The most common HTTP methods to use are PUT and POST.
To set up Splunk as the API destination:
(Example: https://<Your Splunk Endpoint URL>/services/collector/raw). If you use indexer port 8088 for your indexer’s endpoint, then include the port on the URL
(Example: https://<Your Splunk Endpoint URL>:8088/services/collector/raw)
Select HTTP method as POST and for the Connection Type check Create a new connection.
Edit API destination:
Provide a name for the API connection
Set the Destination Type to "Partners"
Select Splunk as the destination from the Partner Destinations list.
Choose the Authorization Type as "API Key".
Configure API Key Value Pairs:
Example format:
Splunk 123456az-2abc-1c22-3dfs-12a45b12078e
Configure Invocation HTTP Parameters:
Example for GuardDuty Findings:
aws:cloudwatchlogs:guardduty
(Optional) Configure Indexer Acknowledgement (if enabled for HEC input):
Click "Create" to finalize the endpoint and connection for Splunk.
Now that you successfully created the API destination and connection for Splunk, you can create the EventBridge Rules on AWS console for sending events from AWS services.
On the next screen for EventBridge targets, check EventBridge API destination for Target types and select the target we created for Splunk earlier. With these steps you should be able to create the rule to ingest events into Splunk.
You can now verify [a3] on Splunk console by doing a search on the events sent from EventBridge. (Example: “index=<your_index> sourcetype="aws:cloudwatchlogs:guardduty") Depending on the type of events you selected, you may need to wait a few minutes until the events get generated from AWS service. For cost information on setting up Splunk as an API destination, refer to the EventBridge pricing page for API destinations and invocations.
When setting up the integration, it's important to monitor AWS logs and metrics for effective troubleshooting. Examining metrics for EventBridge such as event ingestion rates and error counts can help you identify performance bottlenecks or configuration problems early. By regularly reviewing these logs and metrics, you can make sure that your data is flowing smoothly to Splunk and address any issues promptly.
Conclusion
This blog explains how to configure EventBridge for sending AWS events into Splunk.
EventBridge provides at-least-once event delivery to targets, including automatic retries with exponential backoff for up to 24 hours. Events are stored durably across multiple Availability Zones (AZs), providing additional assurance your events will be delivered to their destination. These availability and durability features provide an efficient solution for AWS customers to leverage EventBridge for delivering critical events to Splunk for Security and operational use cases.
By combining AWS EventBridge event delivery mechanism with Splunk’s powerful data analytics, organizations can build a resilient and scalable monitoring solution that meets both security and operational requirements.
Authors:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.