Splunk Enterprise Security

How do i get Epic Hyperspace logs to Splunk with Syslog?

Path Finder

I would like retrieve data from Epic Hyperspace Logs via Syslog. I know you can use the Epic APIs like FIHR but I would like to use Syslog instead.

Labels (1)
0 Karma
1 Solution

Path Finder

I found that Epic Hyperspace does have a configuration to set logs to be sent to your SIEM by Syslog. Here is an example of a Epic Event Activity Dashboard. 

Epic Event Activity DashboardEpic Event Activity Dashboard

Epic Event Activity Dashboard ContinueEpic Event Activity Dashboard Continue

In order to configure multiple SIEMs you have to be running Epic November 2018. Please see "Epic User Auditing Guide" >Access History>Sending Auditing Events to SIEMs. Very simple setup. 

Step 1) You will need to have Epic Hyperspace installed.

Step 2) You will need to have Splunk installed.

Step 3) Create a new dashboard and call it "Epic Event Activity ". Select Edit Dashboard. Select Source. Copy and paste XML code attached. Select save dashboard.

Step 3) Configure your Splunk with a custom index. I call this index "Epic". I created a syslog data input with a TCP port 532. You can use your port such as default syslog 514 UDP.

Step 4) Configure your Epic instance to use the SIEM IP and Port. 

Epic Hyperspace LoginEpic Hyperspace Login

Epic Event Activity Dashboard Source Code

 

 

 

 

<form theme="dark">
  <label>EPIC Event Activity</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.shost">
      <label>Epic Environment</label>
      <fieldForLabel>shost</fieldForLabel>
      <fieldForValue>shost</fieldForValue>
      <search>
        <query>index=epic shost="*" | stats count by shost</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Events</option>
      </single>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | timechart count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Events Over Time</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by shost</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICECATEGORY</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICETYPE</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICENAME</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by suser</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

 

 

 

 

https://www.linkedin.com/in/canalesj/ 

https://twitter.com/Canalesjj

 

View solution in original post

0 Karma

Path Finder

I found that Epic Hyperspace does have a configuration to set logs to be sent to your SIEM by Syslog. Here is an example of a Epic Event Activity Dashboard. 

Epic Event Activity DashboardEpic Event Activity Dashboard

Epic Event Activity Dashboard ContinueEpic Event Activity Dashboard Continue

In order to configure multiple SIEMs you have to be running Epic November 2018. Please see "Epic User Auditing Guide" >Access History>Sending Auditing Events to SIEMs. Very simple setup. 

Step 1) You will need to have Epic Hyperspace installed.

Step 2) You will need to have Splunk installed.

Step 3) Create a new dashboard and call it "Epic Event Activity ". Select Edit Dashboard. Select Source. Copy and paste XML code attached. Select save dashboard.

Step 3) Configure your Splunk with a custom index. I call this index "Epic". I created a syslog data input with a TCP port 532. You can use your port such as default syslog 514 UDP.

Step 4) Configure your Epic instance to use the SIEM IP and Port. 

Epic Hyperspace LoginEpic Hyperspace Login

Epic Event Activity Dashboard Source Code

 

 

 

 

<form theme="dark">
  <label>EPIC Event Activity</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.shost">
      <label>Epic Environment</label>
      <fieldForLabel>shost</fieldForLabel>
      <fieldForValue>shost</fieldForValue>
      <search>
        <query>index=epic shost="*" | stats count by shost</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Events</option>
      </single>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | timechart count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Events Over Time</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by shost</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICECATEGORY</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICETYPE</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICENAME</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by suser</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

 

 

 

 

https://www.linkedin.com/in/canalesj/ 

https://twitter.com/Canalesjj

 

View solution in original post

0 Karma