Recording Access Audit Events in Splunk

This procedure assumes a Splunk instance running on the same host as IG. Adjust the instructions for your Splunk system.

1. Download Splunk from http://www.splunk.com, and install it with the default configuration. If you don't already have a Splunk account, create one.

   Tip

   Splunk currently uses the following ports by default: 8000, 8065, 8088, 8089, and 8091. Before you install Splunk, make sure that these ports are free. Alternatively, change the Splunk installation and IG route to use other ports.

   To find port numbers and other settings used by Splunk, select Server settings > General settings in the Splunk web interface.

2. With Splunk running, create a new source type and associate it with log data from IG:

   1. In the Splunk web interface, select Settings > Source Types > New Source Type.

   2. In the Create Source Type window, enter a name for the source type, for example, openig.

   3. In the Event Breaks panel of the same window, select Regex... and enter ^{ to indicate how the bulk messages are separated.

   4. Accept all of the other values as default and select Save.

3. Create an HTTP Event Collector to provide an authorization token so that IG can log events to Splunk:

   1. Select Settings > Data Inputs > HTTP Event Collector > New Token.

   2. Enter a Name for the token, for example, openig, leave the other fields with their default values, and select Next.

   3. In the Input Settings screen, select Select > Select Source Type > Custom, and then select the source type you created in the previous step.

   4. Select Review and then Submit.

      An authorization token is displayed. Make a note of the value or keep it on the screen so that you use it as the value of authzToken in 30-splunk.json.

4. In the HTTP Event Collector window, check that the Global Settings are configured correctly. For example, make sure that all tokens are enabled and that SSL is not enabled.

   The HTTP port number displayed in these global settings is used as the value of port in 30-splunk.json.

5. Add the following route to IG, replacing the value of authzToken with the value returned earlier:

   $HOME/.openig/config/routes/30-splunk.json

   %appdata%\OpenIG\config\routes\30-splunk.json

   {
     "name": "30-splunk",
     "baseURI": "http://app.example.com:8081",
     "condition": "${matches(request.uri.path, '^/home/splunk-audit')}",
     "heap": [
       {
         "name": "AuditService",
         "type": "AuditService",
         "config": {
           "eventHandlers": [
             {
               "class": "org.forgerock.audit.handlers.splunk.SplunkAuditEventHandler",
               "config": {
                 "name": "splunk",
                 "enabled": true,
                 "authzToken": "<splunk-authorization-token>",
                 "connection": {
                   "host": "localhost",
                   "port": 8088,
                   "useSSL": false
                 },
                 "topics": [
                   "access"
                 ],
                 "buffering": {
                   "maxSize": 10000,
                   "maxBatchedEvents": 500,
                   "writeInterval": "100 ms"
                 }
               }
             }
           ]
         }
       }
     ],
     "auditService": "AuditService",
     "handler": "ReverseProxyHandler"
   }

   The route calls an audit service configuration for publishing log messages to Splunk.

   For information about how to set up the route in Studio, see "Auditing in Structured Editor".

6. Test the setup:

   1. Go to http://openig.example.com:8080/home/splunk-audit.

      The home page of the sample application is displayed and events are logged in Splunk.

   2. Access the Splunk web interface on http://localhost:8000, and select Search & Reporting > Data Summary.

      Depending on how Splunk is configured, audit events are displayed on the web interface.