Splashtop history and session event logs can now be exported for further analysis with a SIEM(Security information and event management) software of your preference.
Supported data flow:
Push Mode is supported at the moment. All the changes in team History and different types of Session Logs will be pushed from Splashtop's platform to your SIEM software for further inspection.
Logs to be exported:
-
Team History logs:
- All the operations (my.splashtop.com/my.splashtop.eu > Logs > History)
-
Session Logs:
- Attended and Unattended sessions
- File transfer
- Diagnostic sessions
- Off-session file transfer, chat, and remote command sessions
- PSA integrations
- Share My Desktop sessions
Supported SIEM tools:
- Splunk
- Sumo Logic
- Others
Supported Log formats:
- Splashtop Common Schema
- Elastic Common Schema
- Splunk format
Notes:
- Pull mode is not yet supported. At this time, you can use Splashtop Open APIs to retrieve logs.
- Logs related to endpoint management features (Alert profiles, System inventory, etc) are not yet available to be exported to SIEM tools.
- For SIEM tools other than Splunk or Sumo Logic, select Integration: Others and fill up the information in the fields according to your SIEM solution (my.splashtop.com/my.splashtop.eu > Management > SIEM Logging > Create)
With SIEM Logging feature from Splashtop, users can now export logs to their own management system. Please follow the below instructions to configure a collector from the Sumo Logic console.
1. Log in Sumo Logic console. Click Manage Data.
2. Under the drop-down list, click the Collection tab.
3. Then click "Add collector" on the top right of the console.
4. Select Hosted Collector.
5. Complete the information of your Hosted Collector.
6. Confirm the creation.
7. After the creation is confirmed, select "HTTP Logs & Metrics".
8. Complete the information of your HTTP Logs & Metrics, and save the source.
9. Copy the HTTP source address for later use.
10. Log into my.splashtop.com, go management tab then click on SIEM logging.
11. Navigate to the Create button, and click "Push mode".
12. Select Sumo Logic as the integration type.
13. Enter the URL field with the HTTP source address that you've copied from the Sumo Logic console.
14. Finally, click "Create". And you're all set with the configuration.
After the setup is finished, you can find the log info on your Sumo Logic dashboard.
1.On the home page, click "Log Search"
2. Input the log info, then click on the search icon.
3. The result of the log info will pop up!
On Splunk Cloud Platform, go to Settings>Add Data
Choose "Monitor">"HTTP Event Collector"
Fill in the info and choose the setup you'd like for the token:
After the token is created, copy the token value and go to my.splashtop.com/my.splashtop.eu (Management>SIEM Logging)to finish the set up:
When creating the push mode app, choose "Splunk" in the integration dropdown:
And fill in HEC URL info and the token value to create the app:
*For HEC URL:
To send data to HTTP Event Collector on Splunk Cloud Platform, you must send data using a specific URI for HEC.
-
The standard form for the HEC URI in Splunk Cloud Platform free trials is as follows:
<protocol>://inputs.<host>:<port>/<endpoint>
- The standard form for the HEC URI in Splunk Cloud Platform is as follows:
<protocol>://http-inputs-<host>:<port>/<endpoint>
-
The standard form for the HEC URI in Splunk Cloud Platform on Google Cloud is as follows:
<protocol>://http-inputs.<host>:<port>/<endpoint>
Please note:
- <protocol> is either
http
orhttps
- You must add
http-inputs-
before the <host> - <host> is the Splunk Cloud Platform instance that runs HEC
- <port> is the HEC port number
-
8088 on Splunk Cloud Platform free trials
-
443 by default on Splunk Cloud Platform instances
-
- <endpoint> is the HEC endpoint you want to use.
In many cases, you can use the/services/collector
endpoint for JavaScript Object Notation (JSON)-formatted events or theservices/collector/raw
endpoint for raw events
After the setup is finished, you can find the log info on Splunk by searching "Source 'Splashtop' "
Our SIEM app also supports pushing logs to your own server or other tools (LogScale is confirmed to work by our user for example). Please you can set up an app on the web portal (my.splashtop.com / my.splashtop.eu), and insert the info following below instructions:
- Name: your SIEM app name
- Integration: select Others
- URL: your server's URL or HEC's URL (HTTP Event Collector)
- Authentication Token: optional, depends on whether your service will check the token in the header of the data or not.
- Log format: select a format you would like to receive the logs with. (If one is not working, you can give others a try.)
Usually you only need to configure this when you host the log server to receive logs. For cloud version Splunk/Sumologic or other 3rd party SIEM servers, it is them who handle the traffic management.
Global stack
- Web portal (this is for SIEM push mode app to send test traffic)
- 54.153.1.100
- 50.18.114.99
- 35.164.11.141
- 35.165.21.129
- 52.37.98.151
- Logs server
- 13.52.208.170
- 54.241.143.104
- 44.238.4.189/32
- 54.185.81.191/32
EU stack
- Web portal (this is for SIEM push mode app to send test traffic)
- 3.66.52.43
- 18.157.228.221
- 18.158.148.33/32
- Logs server
- 3.74.33.104
- 18.193.181.104