Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Securing Client side logging using HTTP Event Collector

aliyusuf
Engager
‎12-06-2017 02:16 PM

I am sending client side logs (browser logs) to Splunk. I have setup an HTTP Event Collector (HEC) where I am sending the log events using splunk-bunyan-logger. Everything works fine with this setup. I am able to send the logs from my web page to this HEC which eventually ends up on our Splunk index.

One major concern we have is putting the HEC token in the client code. splunk-bunyan-logger requires an HEC token and URL to send log events to HEC. Anyone knowing this token and URL can send random requests on our HEC or DDoS it since its endpoint will be open on the internet. Is there any solution built around it? Or is it considered safe in the Splunk community to use HEC token in the client code? I need suggestions on this if anyone has already implemented client side logging using Splunk.

Reply

akshatj2
Path Finder
‎08-02-2021 01:54 AM

Hi @aliyusuf,

 

were you able to get the issue resolved. We have a similar requirement.

0 Karma
Reply

johntron
Engager
‎02-14-2018 05:35 PM

Disclaimer: I know very little about Splunk, but I do know a little about general security practices.

In general, any kind of client-side authentication is considered a very weak form of security to deter only the most basic attackers. I'm not sure what other privileges the HEC token provides, but it shouldn't grant access to anything other than client-side logging.

You should assume attackers already have client-side tokens (they do) and treat them simply as a way to associate your log messages with your account. With that assumption, the next concern is preventing attacks against your logging endpoint.

Since messages are not stored on your webserver, your app can't be taken down by a DoS aimed at filling up disk space. That means you just need to ensure your app doesn't hang if the logging endpoint is in an unhealthy state. Another thing to consider is that log messages should all be considered untrusted - attackers can send false information if they really just want to wait your time.

I hope somebody else has a better answer...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...