Configure the Splunk Integration
Updated on 27 Feb 2023 • 2 Minutes to read
This article explains configuring the Splunk integration with the Island Management Console. Once configured,
the Splunk service should start receiving logs/events from the Island Management Console, which includes user
events from the browser and admin audit events from the management console. This article can be referenced
for configuring Splunk Enterprise, and Splunk Cloud Platform configurations.
Prerequisites
Before configuring the Splunk integration to receive logs/events from the Island Management Console, there
are several prerequisites:
You must have permission to configure integrations in the Island Management Console (i.e. full admin, system
admin)
You must have the required role to install add-ons and apps on Splunk Enterprise or the Splunk Cloud Platform
(i.e. sc_admin).
Configure the Integration in Island
To configure the integration in Island, perform the following:
1. From the Island Management Console, navigate to Settings > Integrations > SIEM.
2. Click Setup for the Splunk SIEM integration. The Splunk Integration Settings drawer is displayed to assist in
the Splunk configuration.
�3. Click Generate API Key. Note that you can always deactivate and delete this token and generate a new one.
4. Copy the API Key to your clipboard, and use it in the Configure the Integration in Splunk settings, as
shown below. Note that this token key will disappear after you click Done.
Configure the Integration in Splunk
To configure the integration in Splunk, perform the following:
1. Install the Island Add-on for Splunk by downloading it from the SIEM page in the Management Console, or
by installing it from within Splunk. If you download from within Splunk, please consult with your Island SE, or
contact our technical support team to be added to the downloaders list.
�2. Follow the installation steps specific to your Splunk configuration:
For single-instance Splunk Enterprise - Install an add-on in a single-instance Splunk Enterprise
deployment
For Splunk Cloud - Install apps on your Splunk Cloud Platform deployment
3. From within Splunk, navigate to Settings > Data Inputs > Island Audit Input, and click Create New Input.
4. Enter a unique Name and paste the API Key, that you saved in the previous step, into the relevant fields.
5. Click Next to continue.
Note: If you modify any of the definitions in More Settings, keeping the Interval parameter at 60
seconds is essential.
6. If a proxy is required, for outbound connectivity on port 443, you can configure this under Configuration >
Proxy.
7. Navigate to Configuration > Add-on Settings and click Save, for the Island Add-on for Splunk to begin
working.
8. Go back to Settings > Integrations > SIEM, in the Island Management Console. If the integration
succeeded, the Up and Running status should be displayed.
9. Now you should be able to search for audits, by navigating to Island Add-on for Splunk > Search, and typing
sourcetype=”island-audits”.
If you have any questions or issues, please consult with your Island SE, or contact our technical support team.
� Previous Next
Mapping Island Event Data to SIEM CEF Fields Configure the Microsoft Sentinel Integration
