@mohsplunking Since BeyondTrust Remote Support SaaS is a cloud offering, the integration likely relies on its API capabilities or syslog forwarding features that can be directed to Splunk Cloud....
See more...
@mohsplunking Since BeyondTrust Remote Support SaaS is a cloud offering, the integration likely relies on its API capabilities or syslog forwarding features that can be directed to Splunk Cloud. HEC Splunk Cloud supports HEC, which allows you to send data over HTTPS using a token-based authentication method. If BeyondTrust Remote Support SaaS can send event data (e.g., session logs) to a custom endpoint, HEC could ingest this data directly. Custom TA for REST API Check BeyondTrust’s documentation or contact their support to confirm the availability of a REST API for the SaaS version. Build a Custom TA. Install the “REST API Modular Input” app from Splunkbase (if supported in your Splunk Cloud environment; you may need to request Splunk Support to install it). Configure a REST input with the BeyondTrust API URL, authentication (OAuth or API key), and polling interval (e.g., every 60 seconds). Write props.conf and transforms.conf in the TA to parse the API response (likely JSON) into meaningful fields for Splunk. Syslog Forwarding with an Intermediary In the BeyondTrust admin interface, set up syslog forwarding to a server you control (e.g., IP address and port like 514 for UDP or TCP. Deploy a Splunk Universal Forwarder on a small VM or container. Configure it to listen for syslog data and forward it to Splunk Cloud using outputs.conf.