Splashtop history and session event logs can now be exported for further analysis with a SIEM(Security information and event management) software of your preference.
Supported data flow:
Push Mode is supported at the moment. All the changes in team History and different types of Session Logs will be pushed from Splashtop's platform to your SIEM software for further inspection.
Logs to be exported:
- Team History logs:
- All the operations (my.splashtop.com/my.splashtop.eu > Logs > History)
- Session Logs:
- Attended and Unattended sessions
- File transfer
- Diagnostic sessions
- Off-session file transfer, chat, and remote command sessions
- PSA integrations
- Share My Desktop sessions
Supported SIEM tools:
- Sumo Logic
Supported Log formats:
- Splashtop Common Schema
- Elastic Common Schema
- Splunk format
- Pull mode is not yet supported. It is planned to be available with a later update.
- Logs related to endpoint management features (Alert profiles, System inventory, etc) are not yet available to be exported to SIEM tools.
- For SIEM tools other than Splunk or Sumo Logic, select Integration: Others and fill up the information in the fields according to your SIEM solution (my.splashtop.com/my.splashtop.eu > Management > SIEM Logging > Create)
With SIEM Logging feature from Splashtop, users can now export logs to their own management system. Please follow the below instructions to configure a collector from the Sumo Logic console.
2. Under the drop-down list, click the Collection tab.
3. Then click "Add collector" on the top right of the console.
4. Select Hosted Collector.
5. Complete the information of your Hosted Collector.
6. Confirm the creation.
7. After the creation is confirmed, select "HTTP Logs & Metrics".
8. Complete the information of your HTTP Logs & Metrics, and save the source.
9. Copy the HTTP source address for later use.
10. Log into my.splashtop.com, go management tab then click on SIEM logging.
11. Navigate to the Create button, and click "Push mode".
12. Select Sumo Logic as the integration type.
13. Enter the URL field with the HTTP source address that you've copied from the Sumo Logic console.
14. Finally, click "Create". And you're all set with the configuration.
After the setup is finished, you can find the log info on your Sumo Logic dashboard.
1.On the home page, click "Log Search"
2. Input the log info, then click on the search icon.
3. The result of the log info will pop up!
On Splunk Cloud Platform, go to Settings>Add Data
Choose "Monitor">"HTTP Event Collector"
Fill in the info and choose the setup you'd like for the token:
After the token is created, copy the token value and go to my.splashtop.com/my.splashtop.eu (Management>SIEM Logging)to finish the set up:
When creating the push mode app, choose "Splunk" in the integration dropdown:
And fill in HEC URL info and the token value to create the app:
*For HEC URL:
To send data to HTTP Event Collector on Splunk Cloud Platform, you must send data using a specific URI for HEC.
- The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
- The standard form for the HEC URI in Splunk Cloud Platform is as follows:
- The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
- <protocol> is either
- You must add
http-inputs-before the <host>
- <host> is the Splunk Cloud Platform instance that runs HEC
- <port> is the HEC port number
8088 on Splunk Cloud Platform free trials
443 by default on Splunk Cloud Platform instances
- <endpoint> is the HEC endpoint you want to use.
In many cases, you can use the
services/collector/rawendpoint for raw events
After the setup is finished, you can find the log info on Splunk by searching "Source 'Splashtop' "