Co

[Marisol Hernández]

Connecting Elasticsearch to Splunk

Does anyone know how to connect Elasticsearch + Kibana with Spluk?

I would like my Wazuh agents to send logs to splunk.

[Leonardo Quiceno]

Hi Marisol,

To connect Elasticsearch + Kibana with Splunk, you can use the Splunk HTTP Event Collector (HEC) to receive logs from your Wazuh agents. Here are the steps to follow:

1. Set up the Splunk HEC by enabling it in your Splunk instance and configuring the necessary inputs.

• https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/
  

2. Configure your Wazuh agents to send logs to Elasticsearch.

• https://documentation.wazuh.com/current/user-manual/elasticsearch/index.html
  

3. Install and configure a log forwarder, such as Filebeat, on the Elasticsearch nodes to forward logs to Splunk via the HEC.

• https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html?highlight=filebeat#installing-filebeat
  

4. Configure Filebeat to read logs from Elasticsearch and send them to Splunk using the HEC endpoint.

• https://www.elastic.co/guide/en/beats/filebeat/current/http-endpoint.html
  

By following these steps, you will be able to forward logs from your Wazuh agents in Elasticsearch to Splunk for further analysis and monitoring.

I hope it will be useful for you.