Device42 can be integrated with external logging or SIEM systems, such as Splunk or Logstash, with the use of webhooks. Webhooks are a methodology of sending server-side details or events to a receiving client-side application, and are also known as “Reverse APIs”. Device42 can send audit log events in the form of webhooks to these other platforms for external analysis.
This article will walk through setting up this integration using a lab instance of Splunk Enterprise (v6.6.3)at http://10.42.2.239:8000, which does not require any login credentials. Previous documentation on this topic is available here, External Logging Config – Device42 Documentation | Device42 Documentation.
Configuring an HTTP Event Collector (HEC) in Splunk
In order to catch the webhooks Device42 produces, an HTTP Event Collector needs to be configured within Splunk, the below steps will walk through this process:
- Navigate to Settings > Data > Data Inputs > HTTP Event Collector.
- Click Global Settings in the upper-right corner and select “Enabled” for All Tokens, determine if SSL needs to be enabled, and define the HEC’s listening port number (8088 is used in this demonstration), then Save.
- Create a new HEC token by clicking New Token in the upper-right corner. Give it a Name and optional Description or Source Name Override (D42_Webhooks is the example created here). Clicking Next displays the Input Settings to define optional input parameters for source type and index; change Source type to the “Select” option, enter “json” in the filter, and select “_json”.
- Review and Submit to create the HEC. This will provide a token value, take note of this but it will be available later if needed.
Configuring a Webhook Endpoint in Device42
In Device42, a webhook endpoint needs to be defined that can catch the audit log events Device42 delivers- the newly-configured HEC in Splunk will do this. This section will detail the endpoint creation process, and a screenshot of successful settings will be included at the bottom.
- Navigate to Tools > Webhooks > Endpoints > Add Webhook Endpoint.
- Name the endpoint and define the endpoint URL like https://ENDPOINT-URL:HEC-PORT/services/collector/raw. The endpoint used in this example is https://10.42.2.239:8088/services/collector/raw. Depending on the HEC settings, http or https may need to be defined. The services/collector/raw REST API endpoint is where Device42 is sending the raw json data to the HEC.
- Leave the Endpoint value as the default “Custom”, define credentials if required (not used in this demonstration), set a Retry interval, and Ignore SSL Certificate Errors if necessary.
- Two Webhook Headers also need to be defined, the first has a Header Name of “Authorization”, with a Header Token of “Splunk <HEC Token>”, where <HEC Token> is replaced by the HEC token value created earlier in Splunk.
- The second has a Header Name of “X-Splunk-Request-Channel” with a Header Token of a randomly generated UUID. This can be created with a Linux utility such as uuidgen. The X-Splunk-Request-Channel header field is required because the request sent to the HEC includes raw data.
Validate Splunk is collecting Device42 Webhooks
This section will describe creating a Webhook Action in Device42, in order to define the data sent to Splunk. This will then be validated in Splunk to verify that it is collecting the raw json webhoook data by utilizing Splunk’s search functionality.
Create a Webhook Action in Device42
- Navigate to Tools > Webhooks > Actions > Add Webhook Action.
- Give the Webhook Action a Name, select the categories to create Webhooks for, then define whether add/delete/change/view/login events are delivered. Alternatively, “Process All Categories” can be selected to deliver all webhook types.
- Select the Webhook Action Endpoint, which should be the endpoint(s) created in the step above. The example here processes Add, Delete, and Change events for the Device object in Device42. As a test, a “Splunk Logging Device” was created, changed, and deleted.
Search for Webhook events in Splunk
- After webhooks have been processed and sent to Splunk, they can be searched for through Settings > Knowledge > Searches, Reports, and Alerts > New Report.
- Title your Report, enter search parameters, and configure any optional settings as needed. The example here uses source=”http:d42_webhooks” as input and looks only for events caught by the HEC configured earlier.
- Save the report and then Run from the resulting Searches, Reports, and Alerts list view. The 3 events below indicates that the “Splunk Logging Device” was inserted (created), updated (changed), and deleted via the I, U, and D actions respectively.