Splunk Enterprise

How to integrate Salesforce Marketing Cloud with Splunk

lawrence_magpoc
Path Finder

As a Splunk SME, I'm tasked to set up the ingestion of Salesforce Marketing Cloud transactional messages into Splunk. We're currently trying to utilize HTTP event collector (HEC) for this but we couldn't get it to work because it's giving us this error:

lawrence_magpoc_0-1702894257156.png

The Marketing Cloud developer I'm working with told me that in order to resolve the above error, we need to figure out how to "verify callbacks" from our end (Splunk)
https://developer.salesforce.com/docs/marketing/marketing-cloud/guide/verifyCallback.html
I need to know if there's a way to achieve that through HEC or if we need to take an entirely different approach to get the Marketing Cloud events to Splunk.

Labels (1)
0 Karma
1 Solution

lawrence_magpoc
Path Finder

I already figured out how to get it to work.

View solution in original post

lawrence_magpoc
Path Finder

I already figured out how to get it to work.

marcoscala
Builder

Hi Lawrence,

can you please share your solution? A customer just asked us to collect audit logs from Marketing Cloud and we're trying to figure how to do it.

Thanks a lot!

 

Marco

0 Karma

lawrence_magpoc
Path Finder

Hi @marcoscala sorry for the late response. I only saw your comment just now.

Here's how we did it:

  1. Before anything else, make sure that the connection between your Splunk forwarder and SFMC is established and nothing is blocking it. This is were we had our problem initially.
  2. Set up HEC on your Splunk forwarder. Make sure to set the allowQueryStringAuth setting to "true". This will make your HEC act as a webhook. This is important because SMFC only allows you to input endpoint URL and nothing else.
  3. Register your callback URL in SFMC using the HEC endpoint URL and token from step 2. Your callback URL should look something like this:
    https://<Your HEC endpoint URL here>:8088/services/collector/event?token=<your HEC token here>​
    If successful, this will return a callbackid and verification key to be used for the next step.
  4. Manually verify the callback created from step 3. Now I'm not sure if it matters where you do it but just to be sure, execute the command on the server which is running your Splunk forwarder instance.
  5. Create your ENS in SMFC. Granted that everything went well, you should now see the events coming in. I suggest temporarily removing all the filters from your ENS until you've confirmed that you're indeed receiving data from it.

richgalloway
SplunkTrust
SplunkTrust

Splunk HEC does not do callbacks.  Clients send data over HTTP and Splunk responds with an HTTP status code.  That's it (unless you use ACK, but don't do that).

---
If this reply helps you, Karma would be appreciated.
0 Karma

lawrence_magpoc
Path Finder

Ok so I suppose HEC is out of the question then? Is there an alternative solution?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are a few ways to onboard data into Splunk.

  1. Install a universal forwarder on the server to send log files to Splunk
  2. Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog
  3. Use the server's API to extract data for indexing
  4. Use Splunk DB Connect to pull data from the server's SQL database.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...