Amazon EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications. EventBridge will automatically deliver the events in near real-time. You can use Amazon EventBridge to route events from sources like homegrown applications, AWS, and third-party software to consumer applications across your organization. Amazon EventBridge offers a simple and consistent way to ingest, filter, transform, and deliver events and findings from AWS security services such as Amazon GuardDuty, Amazon Security Hub, AWS CloudTrail, AWS Config, and more.
By leveraging Amazon EventBridge, Splunk users can receive security events and operational logs with minimal latency, ensuring timely insights and proactive monitoring.
This blog explains how you can set up Amazon EventBridge to ingest events and findings from AWS in near real-time to Splunk over HEC (HTTP Event Collector).
Figure 1: Architecture for ingesting events into Splunk
Step 1: Setup Splunk as API Destination
Amazon EventBridge setup for Splunk requires you to set up an API destination target. Amazon EventBridge API destinations are HTTP endpoints that you can invoke as the target of an event bus rule, or pipe, similar to how you invoke an AWS service or resource as a target. Using API destinations, you can route events between AWS services, integrated software as a service (SaaS) applications, and public or private applications by using API calls. When you specify an API destination as a rule or pipe target, EventBridge invokes the HTTP endpoint for any event that matches the event pattern specified in the rule or pipe and then delivers the event information with the request. With EventBridge, you can use any HTTP method except CONNECT and TRACE for the request. The most common HTTP methods to use are PUT and POST.
To set up Splunk as the API destination:
- go to Amazon Eventbridge in the AWS console and select API Destinations under Integrations.
- Now click Create API Destination and enter a name for API destination (Example: SplunkDestination).
- Enter your Splunk Endpoint URL under API destination endpoint formatted for raw endpoint.
(Example: https://<Your Splunk Endpoint URL>/services/collector/raw). If you use indexer port 8088 for your indexer’s endpoint, then include the port on the URL
(Example: https://<Your Splunk Endpoint URL>:8088/services/collector/raw)
Select HTTP method as POST and for the Connection Type check Create a new connection.
Edit API destination:
Figure 2: EventBridge API Destination
Provide a name for the API connection
- Example: SplunkConnection
Set the Destination Type to "Partners"
- AWS provides a pre-configured destination template for Splunk.
Select Splunk as the destination from the Partner Destinations list.
Choose the Authorization Type as "API Key".
Configure API Key Value Pairs:
- Set Authorization as the API key name.
- Enter the HEC token prefixed with "Splunk".
Example format:
Splunk 123456az-2abc-1c22-3dfs-12a45b12078e
- (without quotes, replacing with your actual HEC token)
Configure Invocation HTTP Parameters:
- Select Query string as the parameter type.
- Set Key to sourcetype.
- Set Value to the AWS source type you are configuring.
Example for GuardDuty Findings:
aws:cloudwatchlogs:guardduty
- Refer to Splunk AWS Add-on documentation for other AWS source types.
(Optional) Configure Indexer Acknowledgement (if enabled for HEC input):
- Specify a channel to send data to HEC.
- Refer to Splunk documentation on indexer acknowledgment and data channels.
- To specify a channel:
- Select Header as the invocation parameter.
- Set Key to X-Splunk-Request-Channel.
- Enter the channel identifier in the Value field.
Click "Create" to finalize the endpoint and connection for Splunk.
Figure 3: EventBridge Splunk Connection
Step 2: Set up EventBridge Rule
Now that you successfully created the API destination and connection for Splunk, you can create the EventBridge Rules on AWS console for sending events from AWS services.
- Go to Amazon EventBridge in the AWS console , select Rules under Buses and click Create Rule.
- Enter a name for the rule, then click Next.
- Keep Event source set to AWS events or EventBridge partner events.
- Scroll down to Event Pattern and select AWS services as the Event source.
- Choose the AWS service where you want to send events (e.g., GuardDuty).
- Set the Event type:
- Select All events to send all events from the AWS service.
- Or, choose a specific event type to send only certain events to Splunk.
- Important: The AWS service and event type should match the source type you configured in the previous step for the API destination.
Figure 4: Example EventBridge Rule
On the next screen for EventBridge targets, check EventBridge API destination for Target types and select the target we created for Splunk earlier. With these steps you should be able to create the rule to ingest events into Splunk.
You can now verify [a3] on Splunk console by doing a search on the events sent from EventBridge. (Example: “index=<your_index> sourcetype="aws:cloudwatchlogs:guardduty") Depending on the type of events you selected, you may need to wait a few minutes until the events get generated from AWS service. For cost information on setting up Splunk as an API destination, refer to the EventBridge pricing page for API destinations and invocations.
When setting up the integration, it's important to monitor AWS logs and metrics for effective troubleshooting. Examining metrics for EventBridge such as event ingestion rates and error counts can help you identify performance bottlenecks or configuration problems early. By regularly reviewing these logs and metrics, you can make sure that your data is flowing smoothly to Splunk and address any issues promptly.
Conclusion
This blog explains how to configure EventBridge for sending AWS events into Splunk.
EventBridge provides at-least-once event delivery to targets, including automatic retries with exponential backoff for up to 24 hours. Events are stored durably across multiple Availability Zones (AZs), providing additional assurance your events will be delivered to their destination. These availability and durability features provide an efficient solution for AWS customers to leverage EventBridge for delivering critical events to Splunk for Security and operational use cases.
By combining AWS EventBridge event delivery mechanism with Splunk’s powerful data analytics, organizations can build a resilient and scalable monitoring solution that meets both security and operational requirements.
Authors:
- Antoni Komorowski - Splunk's Product Manager
- Ranjit Kalidasan - Principal Solutions Architect at AWS
- Bartlomiej Kaletka - Splunk's Product Manager
