SIEM Logging

Splashtop history and session event logs can now be exported for further analysis with a SIEM(Security information and event management) software of your preference. 

Requirement: Custom Enterprise Technician license

Supported features

Supported data flow:

Push Mode is supported at the moment. All the changes in team History and different types of Session Logs will be pushed from Splashtop's platform to your SIEM software for further inspection.

Logs to be exported:

  • Team History logs:
    • All the operations ( > Logs > History)
  • Session Logs:
    • Attended and Unattended sessions
    • File transfer
    • Diagnostic sessions
    • Off-session file transfer, chat, and remote command sessions
    • PSA integrations
    • Share My Desktop sessions

Supported SIEM tools:

  • Splunk 
  • Sumo Logic
  • Others

Supported Log formats:

  • Splashtop Common Schema
  • Elastic Common Schema
  • Splunk format


  1. Pull mode is not yet supported. It is planned to be available with a later update.
  2. Logs related to endpoint management features (Alert profiles, System inventory, etc) are not yet available to be exported to SIEM tools.
  3. For SIEM tools other than Splunk or Sumo Logic, select Integration: Others and fill up the information in the fields according to your SIEM solution ( > Management > SIEM Logging > Create)
Sumo Logic configuration

With SIEM Logging feature from Splashtop, users can now export logs to their own management system. Please follow the below instructions to configure a collector from the Sumo Logic console.

1. Log in Sumo Logic console. Click Manage Data.

2. Under the drop-down list, click the Collection tab.


3. Then click "Add collector" on the top right of the console.


4. Select Hosted Collector.


5. Complete the information of your Hosted Collector.


6. Confirm the creation.


7. After the creation is confirmed, select "HTTP Logs & Metrics". 


8. Complete the information of your HTTP Logs & Metrics, and save the source.


9. Copy the HTTP source address for later use.


10. Log into, go management tab then click on SIEM logging. 


11. Navigate to the Create button, and click "Push mode". 


12. Select Sumo Logic as the integration type.

13. Enter the URL field with the HTTP source address that you've copied from the Sumo Logic console.

14. Finally, click "Create". And you're all set with the configuration. 


After the setup is finished, you can find the log info on your Sumo Logic dashboard.

1.On the home page, click "Log Search" 


2. Input the log info, then click on the search icon.


3. The result of the log info will pop up! 


Splunk configuration

On Splunk Cloud Platform, go to Settings>Add Data


Choose "Monitor">"HTTP Event Collector"



Fill in the info and choose the setup you'd like for the token:



After the token is created, copy the token value and go to (Management>SIEM Logging)to finish the set up:



When creating the push mode app, choose "Splunk" in the integration dropdown:


And fill in HEC URL info and the token value to create the app:


*For HEC URL: 
To send data to HTTP Event Collector on Splunk Cloud Platform, you must send data using a specific URI for HEC.

  •  The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
  • The standard form for the HEC URI in Splunk Cloud Platform is as follows:
  • The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:

Please note:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host>
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials

    • 443 by default on Splunk Cloud Platform instances

  • <endpoint> is the HEC endpoint you want to use.
    In many cases, you can use the /services/collector endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events


After the setup is finished, you can find the log info on Splunk by searching "Source 'Splashtop' "



What if I am hosting a server or use other tools to collect logs? How can I set this up?

Our SIEM app also supports pushing logs to your own server or other tools (LogScale is confirmed to work by our user for example). Please you can set up an app on the web portal ( /, and insert the info following below instructions: 

  • Name: your SIEM app name
  • Integration: select Others
  • URL: your server's URL or HEC's URL (HTTP Event Collector)
  • Authentication Token: optional, depends on whether your service will check the token in the header of the data or not.
  • Log format: select a format you would like to receive the logs with. (If one is not working, you can give others a try.)
(Optional) What are the IPs I need to whitelist on my firewall to allow pushed logs?

Usually you only need to configure this when you host the log server to receive logs. For cloud version Splunk/Sumologic or other 3rd party SIEM servers, it is them who handle the traffic management.

Global stack

  • Web portal (this is for SIEM push mode app to send test traffic)
  • Logs server

EU stack

  • Web portal (this is for SIEM push mode app to send test traffic)
  • Logs server


0 out of 1 found this helpful