Say hello to Splunk!!! Clumio’s audit logs on Splunk

Yes, you heard it right!!! We have just launched a new Splunk add-on present in Splunkbase and certified by Splunk. This is a big deal, as Splunk is the most popular SIEM tool that means Clumio’s audit logs can be searched, analyzed, and visualized in near real-time. The Splunk add-on will bring two of these fantastic worlds of Clumio and Splunk closer together. “Closer” sounds so good in a world where everyone is distancing away due to the ongoing pandemic!!!

This add-on called “Clumio Audit Logs Ingester” brings Clumio’s audit logs in near real-time into Splunk. Audit logs are like security cameras and are required to capture the events happening in your enterprise environment. Check out this amazing blog by my colleague Chandan Agarwal (PM in Clumio) on Audit logs.

Figure 1: Clumio add-on in Splunkbase

Let us get familiar with configuring the add-on in your Splunk environment. This add-on has been tested on Splunk 7.2/Splunk 8.0. It takes a minute to configure the add-on since, at Clumio, simplification is one of our core mantras.
After the Splunk add-on is installed, configure the input as shown below.

Figure 2: Splunk input configuration

1. Interval: Set the Interval to fetch the next batch of audit logs from Clumio, which is right now every 5 minutes (300 seconds) or more.
2. Index: Provide the index where you would like the audit logs to be populated in Splunk. It could be the main index or any of the custom indexes.
3. Clumio API URL: Provide the API URL key, which can be retrieved from the Clumio instance REST API Reference (see Figure 3).

Figure 3: REST API Reference

4. API key: Generate the API token from the setting section by navigating to the API tokens as shown in the below Figure 4.

Figure 4: Generate API tokens

5. Audit Logs Start (Days): Provide the number of days needed to go back for audit logs data
6. Limit Records per call: Here, you need to provide the number of records per fetch of audit logs. The default is 10 records, and the maximum is 100 records per fetch/call.

Once configured, we can immediately start seeing the audit logs getting ingested into the Splunk index and ready for searches, as shown below. The ingested audit logs are configured as JSON in Splunk, so Splunk will readily parse all the interesting fields thereby making it easier to perform searches on these fields.

Figure 5: Clumio’s audit logs in Splunk

Interesting Search queries on Clumio’s Audit Logs:

Then, you can start running searches and building cool charts, as shown below. Here are some of the examples of the cool searches you can do with Clumio’s audit logs:

• Failed logins time chart

To find the number of failed logins, issue the search command as below. This search query will search the audit logs where “action” is “login” and “status” is “failure”. If you see a spike in login failures, then you know something is fishy.

index=”main” action=”login”, status = “failure” | timechart count BY status

Figure 6: Failed logins time chart

• Number of Restores based on the Entity type

To find the number of restores based on the entity type, issue the search command like this. This search query will search the audit logs where “category” is “restore” and “primary_entity.type” is set to “*” which is “ALL” entity types.

index=”main” category=”restore” primary_entity.type =”*” | stats count by primary_entity.type

Figure 7: Number of Restores based on the Entity type

These are just a few examples to slice and dice the Clumio’s audit logs in Splunk. We are coming up with a new Splunk App with lots of exciting dashboard charts that will be readily available once the app is installed. Check out the Splunk add-on in Splunkbase: https://splunkbase.splunk.com/app/5239/.

Stay safe. Keep healthy !!!