SIEM Logging

Splashtop history and session event logs can now be exported for further analysis with a SIEM(Security information and event management) software of your preference. 

Requirement: Enterprise License

Supported features

Supported data flow:

Push Mode is supported at the moment. All the changes in team History and different types of Session Logs will be pushed from Splashtop's platform to your SIEM software for further inspection.

Logs to be exported:

  • Team History logs:
    • All the operations (my.splashtop.com/my.splashtop.eu > Logs > History)
  • Session Logs:
    • Attended and Unattended sessions
    • File transfer
    • Diagnostic sessions
    • Off-session file transfer, chat, and remote command sessions
    • PSA integrations
    • Share My Desktop sessions

Supported SIEM tools:

  • Splunk 
  • Sumo Logic
  • Others

Supported Log formats:

  • Splashtop Common Schema
  • Elastic Common Schema
  • Splunk format

Notes:

  1. Pull mode is not yet supported. At this time, you can use Splashtop Open APIs to retrieve logs.
  2. Logs related to endpoint management features (Alert profiles, System inventory, etc) are not yet available to be exported to SIEM tools.
  3. For SIEM tools other than Splunk or Sumo Logic, select Integration: Others and fill up the information in the fields according to your SIEM solution (my.splashtop.com/my.splashtop.eu > Management > SIEM Logging > Create)
Sumo Logic configuration

With SIEM Logging feature from Splashtop, users can now export logs to their own management system. Please follow the below instructions to configure a collector from the Sumo Logic console.

1. Log in Sumo Logic console. Click Manage Data.

2. Under the drop-down list, click the Collection tab.

sumo_console-1_en-us.png

3. Then click "Add collector" on the top right of the console.

sumo_console_en-us.png

4. Select Hosted Collector.

Collector_type_en-us.png

5. Complete the information of your Hosted Collector.

collector_info_en-us.png

6. Confirm the creation.

confirm_en-us.png

7. After the creation is confirmed, select "HTTP Logs & Metrics". 

http_en-us.png

8. Complete the information of your HTTP Logs & Metrics, and save the source.

HTTP_Logs_en-us.png

9. Copy the HTTP source address for later use.

source_address_en-us.png

10. Log into my.splashtop.com, go management tab then click on SIEM logging. 

SIEM_PCP_en-us.png

11. Navigate to the Create button, and click "Push mode". 

SIEM_PCP_create_en-us.png

12. Select Sumo Logic as the integration type.

13. Enter the URL field with the HTTP source address that you've copied from the Sumo Logic console.

14. Finally, click "Create". And you're all set with the configuration. 

push_mode_app_en-us.png

After the setup is finished, you can find the log info on your Sumo Logic dashboard.

1.On the home page, click "Log Search" 

dash_board_en-us.png

2. Input the log info, then click on the search icon.

log_search_en-us.png

3. The result of the log info will pop up! 

example_en-us.png

Splunk configuration

On Splunk Cloud Platform, go to Settings>Add Data

image-20220410-111133_en-us.png

Choose "Monitor">"HTTP Event Collector"

image-20220410-111753_en-us.png

image-20220410-111950_en-us.png

Fill in the info and choose the setup you'd like for the token:

image-20220410-123109_en-us.pngimage-20220410-123221_en-us.png

image-20220410-123249_en-us.png

After the token is created, copy the token value and go to my.splashtop.com/my.splashtop.eu (Management>SIEM Logging)to finish the set up:

Snipaste_2022-04-10_21-16-52_en-us.png

image-20220410-123524_en-us.png

When creating the push mode app, choose "Splunk" in the integration dropdown:

image-20220410-123620_en-us.png

And fill in HEC URL info and the token value to create the app:

image-20220410-125810_en-us.png

*For HEC URL: 
To send data to HTTP Event Collector on Splunk Cloud Platform, you must send data using a specific URI for HEC.

  •  The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
    <protocol>://inputs.<host>:<port>/<endpoint>
  • The standard form for the HEC URI in Splunk Cloud Platform is as follows:
    <protocol>://http-inputs-<host>:<port>/<endpoint> 
  • The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
    <protocol>://http-inputs.<host>:<port>/<endpoint> 

Please note:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host>
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials

    • 443 by default on Splunk Cloud Platform instances

  • <endpoint> is the HEC endpoint you want to use.
    In many cases, you can use the /services/collector endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events

 

After the setup is finished, you can find the log info on Splunk by searching "Source 'Splashtop' "

2021-11-26_11-02-35_en-us.png

 

What if I am hosting a server or use other tools to collect logs? How can I set this up?

Our SIEM app also supports pushing logs to your own server or other tools (LogScale is confirmed to work by our user for example). Please you can set up an app on the web portal (my.splashtop.com / my.splashtop.eu), and insert the info following below instructions: 

  • Name: your SIEM app name
  • Integration: select Others
  • URL: your server's URL or HEC's URL (HTTP Event Collector)
  • Authentication Token: optional, depends on whether your service will check the token in the header of the data or not.
  • Log format: select a format you would like to receive the logs with. (If one is not working, you can give others a try.)
(Optional) What are the IPs I need to whitelist on my firewall to allow pushed logs?

Usually you only need to configure this when you host the log server to receive logs. For cloud version Splunk/Sumologic or other 3rd party SIEM servers, it is them who handle the traffic management.

Global stack

  • Web portal (this is for SIEM push mode app to send test traffic)
    • 54.153.1.100
    • 50.18.114.99
    • 35.164.11.141
    • 35.165.21.129
    • 52.37.98.151
  • Logs server
    • 13.52.208.170
    • 54.241.143.104
    • 44.238.4.189/32
    • 54.185.81.191/32

EU stack

  • Web portal (this is for SIEM push mode app to send test traffic)
    • 3.66.52.43
    • 18.157.228.221
    • 18.158.148.33/32
  • Logs server
    • 3.74.33.104
    • 18.193.181.104

 

1 out of 2 found this helpful