Splunk Integration
Splunk Integration | |
---|---|
Author(s) | ConnectWise Labs |
Latest version | 1.0.3 |
Required server version | 2023.3+ |
Introduction
This page explains how to install and configure the Splunk Integration extension for ConnectWise ScreenConnect™. The Splunk Integration extension sends ScreenConnect session and security events to Splunk for monitoring and analysis.
Configure Splunk
1. Create an HTTP Event Collector endpoint
The first step is to create an HTTP Event Collector endpoint. The instructions to create an endpoint vary slightly depending on the type of Splunk installation you’re configuring. See Splunk’s documentation on creating an HTTP Event Collector for a complete walkthrough.
2. Copy the HTTP Event Collector token value
Once you have completed creating an HTTP Event Collector, you can copy the HTTP Event Collector token value. Save this value in a safe place; you will need it to configure ScreenConnect.
3. Construct the HTTP Event Collector URI
The HTTP Event Collector URI gives the integration the location of the HTTP Event Collector that you created in the previous step. Depending on your Splunk installation, it can be constructed differently.
For our Splunk Cloud instance, our URI is:
https://myinstance.splunkcloud.com:8088/services/collector
See Splunk’s documentation and contact your Splunk admin if you have additional questions about constructing the HTTP Event Collector URI.
Install the Splunk integration extension in ScreenConnect
1. Navigate to your ScreenConnect instance
2. Navigate to the Administration > Extensions page
3. Click Browse Extension Marketplace
4. Search for the Splunk Integration
5. Select the extension and click Install
Configure the Splunk integration extension in ScreenConnect
1. Navigate to your ScreenConnect instance's Administration > Extensions page
2. Click the Extras menu in the navigation column and select Configure Splunk Integration
3. Enter the Splunk HTTP Event Collector information
Enter the HTTP Event Collector URI and HTTP Event Collector Token from the previous steps.
4. Select the event types to send to Splunk
Select the session events and security event types that you want to send to Splunk. By default, all events are sent to Splunk. Click All Events to open a selection panel. Click an event to deselect it.
5. Click Save to save your changes and close the dialog
What's next
Your Splunk administrator will be able to add ScreenConnect events to an existing dashboard or build a new one for you.