Splunk Enterprise Security

How do i get Epic Hyperspace logs to Splunk with Syslog?

canalesjac
Path Finder

I would like retrieve data from Epic Hyperspace Logs via Syslog. I know you can use the Epic APIs like FIHR but I would like to use Syslog instead.

Labels (1)
0 Karma
1 Solution

canalesjac
Path Finder

I found that Epic Hyperspace does have a configuration to set logs to be sent to your SIEM by Syslog. Here is an example of a Epic Event Activity Dashboard. 

Epic Event Activity DashboardEpic Event Activity Dashboard

Epic Event Activity Dashboard ContinueEpic Event Activity Dashboard Continue

In order to configure multiple SIEMs you have to be running Epic November 2018. Please see "Epic User Auditing Guide" >Access History>Sending Auditing Events to SIEMs. Very simple setup. 

Step 1) You will need to have Epic Hyperspace installed.

Step 2) You will need to have Splunk installed.

Step 3) Create a new dashboard and call it "Epic Event Activity ". Select Edit Dashboard. Select Source. Copy and paste XML code attached. Select save dashboard.

Step 3) Configure your Splunk with a custom index. I call this index "Epic". I created a syslog data input with a TCP port 532. You can use your port such as default syslog 514 UDP.

Step 4) Configure your Epic instance to use the SIEM IP and Port. 

Epic Hyperspace LoginEpic Hyperspace Login

Epic Event Activity Dashboard Source Code

 

 

 

 

<form theme="dark">
  <label>EPIC Event Activity</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.shost">
      <label>Epic Environment</label>
      <fieldForLabel>shost</fieldForLabel>
      <fieldForValue>shost</fieldForValue>
      <search>
        <query>index=epic shost="*" | stats count by shost</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Events</option>
      </single>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | timechart count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Events Over Time</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by shost</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICECATEGORY</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICETYPE</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICENAME</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by suser</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

 

 

 

 

https://www.linkedin.com/in/canalesj/ 

https://twitter.com/Canalesjj

 

View solution in original post

mstanton
New Member

I didn't see any info about parsing these logs. Mine are sending as syslog but nothing is parsed and it's all XML formatted. Did you chose something other than syslog or create a parser?

 

0 Karma

canalesjac
Path Finder

I found that Epic Hyperspace does have a configuration to set logs to be sent to your SIEM by Syslog. Here is an example of a Epic Event Activity Dashboard. 

Epic Event Activity DashboardEpic Event Activity Dashboard

Epic Event Activity Dashboard ContinueEpic Event Activity Dashboard Continue

In order to configure multiple SIEMs you have to be running Epic November 2018. Please see "Epic User Auditing Guide" >Access History>Sending Auditing Events to SIEMs. Very simple setup. 

Step 1) You will need to have Epic Hyperspace installed.

Step 2) You will need to have Splunk installed.

Step 3) Create a new dashboard and call it "Epic Event Activity ". Select Edit Dashboard. Select Source. Copy and paste XML code attached. Select save dashboard.

Step 3) Configure your Splunk with a custom index. I call this index "Epic". I created a syslog data input with a TCP port 532. You can use your port such as default syslog 514 UDP.

Step 4) Configure your Epic instance to use the SIEM IP and Port. 

Epic Hyperspace LoginEpic Hyperspace Login

Epic Event Activity Dashboard Source Code

 

 

 

 

<form theme="dark">
  <label>EPIC Event Activity</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok.time">
      <label>Time</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="tok.shost">
      <label>Epic Environment</label>
      <fieldForLabel>shost</fieldForLabel>
      <fieldForValue>shost</fieldForValue>
      <search>
        <query>index=epic shost="*" | stats count by shost</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="trendDisplayMode">percent</option>
        <option name="trendInterval">-1h</option>
        <option name="underLabel">Events</option>
      </single>
      <single>
        <search>
          <query>index=epic shost=$tok.shost$ | timechart count</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="refresh.display">progressbar</option>
        <option name="underLabel">Events Over Time</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 shost</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Environment</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by shost</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICECATEGORY</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Category</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICECATEGORY</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICETYPE</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">bar</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Type</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICETYPE</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 SERVICENAME</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by Service Name</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by SERVICENAME</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | stats count by suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events By User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ | top limit=10 suser</query>
          <earliest>$tok.time.earliest$</earliest>
          <latest>$tok.time.latest$</latest>
        </search>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <title>Events by User</title>
      <chart>
        <search>
          <query>index=epic shost=$tok.shost$ |  timechart count by suser</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

 

 

 

 

https://www.linkedin.com/in/canalesj/ 

https://twitter.com/Canalesjj

 

ug
New Member

@docana is your Epic instance on-prem? Do you know if this will work if your Epic environment is completely remotely hosted by Epic?
Thank you in advance for your response.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...