SIEM Logging

Follow

Splashtop history and session event logs can now be exported for further analysis with a SIEM(Security information and event management) software of your preference. 

Supported features

Supported data flow:

Push Mode is supported at the moment. All the changes in team History and different types of Session Logs will be pushed from Splashtop's platform to your SIEM software for further inspection.

Logs to be exported:

  • Team History logs:
    • All the operations (my.splashtop.com/my.splashtop.eu > Logs > History)
  • Session Logs:
    • Attended and Unattended sessions
    • File transfer
    • Diagnostic sessions
    • Off-session file transfer, chat, and remote command sessions
    • PSA integrations
    • Share My Desktop sessions

Supported SIEM tools:

  • Splunk 
  • Sumo Logic
  • Others

Supported Log formats:

  • Splashtop Common Schema
  • Elastic Common Schema
  • Splunk format

Notes:

  1. Pull mode is not yet supported. It is planned to be available with a later update.
  2. Logs related to endpoint management features (Alert profiles, System inventory, etc) are not yet available to be exported to SIEM tools.
  3. For SIEM tools other than Splunk or Sumo Logic, select Integration: Others and fill up the information in the fields according to your SIEM solution (my.splashtop.com/my.splashtop.eu > Management > SIEM Logging > Create)
Sumo Logic configuration

With SIEM Logging feature from Splashtop, users can now export logs to their own management system. Please follow the below instructions to configure a collector from the Sumo Logic console.

1. Log in Sumo Logic console. Click Manage Data.

2. Under the drop-down list, click the Collection tab.

sumo_console-1_en-us.png

3. Then click "Add collector" on the top right of the console.

sumo_console_en-us.png

4. Select Hosted Collector.

Collector_type_en-us.png

5. Complete the information of your Hosted Collector.

collector_info_en-us.png

6. Confirm the creation.

confirm_en-us.png

7. After the creation is confirmed, select "HTTP Logs & Metrics". 

http_en-us.png

8. Complete the information of your HTTP Logs & Metrics, and save the source.

HTTP_Logs_en-us.png

9. Copy the HTTP source address for later use.

source_address_en-us.png

10. Log into my.splashtop.com, go management tab then click on SIEM logging. 

SIEM_PCP_en-us.png

11. Navigate to the Create button, and click "Push mode". 

SIEM_PCP_create_en-us.png

12. Select Sumo Logic as the integration type.

13. Enter the URL field with the HTTP source address that you've copied from the Sumo Logic console.

14. Finally, click "Create". And you're all set with the configuration. 

push_mode_app_en-us.png

After the setup is finished, you can find the log info on your Sumo Logic dashboard.

1.On the home page, click "Log Search" 

dash_board_en-us.png

2. Input the log info, then click on the search icon.

log_search_en-us.png

3. The result of the log info will pop up! 

example_en-us.png

Splunk configuration

On Splunk Cloud Platform, go to Settings>Add Data

image-20220410-111133_en-us.png

Choose "Monitor">"HTTP Event Collector"

image-20220410-111753_en-us.png

image-20220410-111950_en-us.png

Fill in the info and choose the setup you'd like for the token:

image-20220410-123109_en-us.pngimage-20220410-123221_en-us.png

image-20220410-123249_en-us.png

After the token is created, copy the token value and go to my.splashtop.com/my.splashtop.eu (Management>SIEM Logging)to finish the set up:

Snipaste_2022-04-10_21-16-52_en-us.png

image-20220410-123524_en-us.png

When creating the push mode app, choose "Splunk" in the integration dropdown:

image-20220410-123620_en-us.png

And fill in HEC URL info and the token value to create the app:

image-20220410-125810_en-us.png

*For HEC URL: 
To send data to HTTP Event Collector on Splunk Cloud Platform, you must send data using a specific URI for HEC.

  •  The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
    <protocol>://inputs.<host>:<port>/<endpoint>
  • The standard form for the HEC URI in Splunk Cloud Platform is as follows:
    <protocol>://http-inputs-<host>:<port>/<endpoint> 
  • The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
    <protocol>://http-inputs.<host>:<port>/<endpoint> 

Please note:

  • <protocol> is either http or https
  • You must add http-inputs- before the <host>
  • <host> is the Splunk Cloud Platform instance that runs HEC
  • <port> is the HEC port number
    • 8088 on Splunk Cloud Platform free trials

    • 443 by default on Splunk Cloud Platform instances

  • <endpoint> is the HEC endpoint you want to use.
    In many cases, you can use the /services/collector endpoint for JavaScript Object Notation (JSON)-formatted events or the services/collector/raw endpoint for raw events

 

After the setup is finished, you can find the log info on Splunk by searching "Source 'Splashtop' "

2021-11-26_11-02-35_en-us.png
 

0 out of 0 found this helpful