Sucuri Docs > Website Firewall > Configuration > Integrating with Splunk

Integrating with Splunk

If you use Splunk or another log management tool, it is possible to export the alert logs from our WAF API.

Enterprise customers can also export those logs directly via syslog (UDP). Please contact your account manager if you wish to enable this option.

Exporting via syslog (Enterprise only)

  • Configuring Splunk

To get started, you need to go to your Splunk dashboard and set up a new data input (under Settings -> Data Input). In there, choose a UDP input and create a new listener on any port you wish. This document from Splunk explains how to do so:

http://docs.splunk.com/Documentation/Splunk/6.0.5/Data/Monitornetworkports

  • Receiving Sucuri Events

Once you have your Splunk dashboard configured, you need to contact our support team or account manager and provide them with the following information:

- IP address of your splunk server
- UDP port chosen
- Sites you wish to have the alerts forwarded

We will configure the forwarder on our end within 24 hours and start sending the alerts to your server. We will also provide our IP address to be allowed (every other should be blocked on that specific listener).

  • Alert format

The alerts will be sent using the Syslog format, following the OSSEC alert structure:

Mar  4 13:49:29 SOURCEIP Mar  4 13:52:22 hostname ossec: Alert Level: 5; Rule: 100222 - Web server 400 error code (via POST).; Location: edgeserver->/var/log/nginx/domain.access.log; srcip: 1.2.3.4 / Country;  1.1.1.1 - - [04/Mar/2016:13:49:26 -0500] "POST / HTTP/1.1" 404 357 "http://domain" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"

Which can be easily parsed on Splunk’s end.

Was this article helpful?