Configuring Splunk to Store Device42's Audit Logs
Ensure you’ve completed the instructions under “Enabling External Logging” for Device42. Once complete, Navigate to your Splunk Console. Head to “Settings” → “Monitoring Console”:
Navigate to “Search” → “KV Store: Instances”:
Toward the top of the screen, the Splunk “Instance” name can be found. This information is needed to configure Device42 to send Audit Data. Record the “Instance Name” for use in Step 2 of Device42 configuration [above]. Enter it in the field labeled “URL”. This screen also allows you to both view and manage the KV (Key-Value) stores created by Device42 (and any others in the system).
That’s it! Your Splunk instance should be receiving logs from Device42.
Please note: It will take a little while for all of your historical Device42 log information to be visible from within the Splunk interface, but all old and new logs will remain visible throughout the initial log transfer from within the Device42 interface.