Hi Lawrence,

can you please share your solution? A customer just asked us to collect audit logs from Marketing Cloud and we're trying to figure how to do it.

Thanks a lot!

Marco

Hi @marcoscala sorry for the late response. I only saw your comment just now.

Here's how we did it:

1. Before anything else, make sure that the connection between your Splunk forwarder and SFMC is established and nothing is blocking it. This is were we had our problem initially.
2. Set up HEC on your Splunk forwarder. Make sure to set the allowQueryStringAuth setting to "true". This will make your HEC act as a webhook. This is important because SMFC only allows you to input endpoint URL and nothing else.
3. Register your callback URL in SFMC using the HEC endpoint URL and token from step 2. Your callback URL should look something like this:
   https://<Your HEC endpoint URL here>:8088/services/collector/event?token=<your HEC token here>​
   If successful, this will return a callbackid and verification key to be used for the next step.
4. Manually verify the callback created from step 3. Now I'm not sure if it matters where you do it but just to be sure, execute the command on the server which is running your Splunk forwarder instance.
5. Create your ENS in SMFC. Granted that everything went well, you should now see the events coming in. I suggest temporarily removing all the filters from your ENS until you've confirmed that you're indeed receiving data from it.

Ok so I suppose HEC is out of the question then? Is there an alternative solution?

There are a few ways to onboard data into Splunk.

1. Install a universal forwarder on the server to send log files to Splunk
2. Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog
3. Use the server's API to extract data for indexing
4. Use Splunk DB Connect to pull data from the server's SQL database.