Splunk Integration
Forward database audit events to Splunk Enterprise or Splunk Cloud using the HTTP Event Collector. Enable real-time security monitoring and correlation with your existing Splunk infrastructure.
HTTP Event Collector
Native HEC integration for high-throughput event ingestion with token-based authentication.
Custom Indexes
Route events to dedicated indexes for better organization and access control.
Custom Sourcetypes
Dedicated sourcetype for easy field extraction and Splunk app integration.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "splunk-prod") |
| provider | select | Yes | splunk | SIEM provider - select "Splunk" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| hec_url | string | Yes | - | Splunk HEC endpoint URL (e.g., "https://splunk.example.com:8088/services/collector/event") |
| hec_token | password | Yes | - | HTTP Event Collector token for authentication |
2 Splunk-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| index | string | No | main | Target Splunk index for events (e.g., "security", "db_audit") |
| source_type | string | No | dbaudit:events | Splunk sourcetype for event categorization |
| source | string | No | dbaudit | Source identifier for events |
| host | string | No | - | Override host field (defaults to DB Audit server hostname) |
| verify_ssl | boolean | No | true | Verify Splunk server SSL certificate |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
| retry_delay_seconds | number | No | 5 | Delay between retry attempts |
Setup Instructions
Create Splunk Index (Optional)
Create a dedicated index for DB Audit events (recommended for better organization).
# Create dedicated index for DB Audit events
splunk add index db_audit \
-maxTotalDataSizeMB 500000 \
-frozenTimePeriodInSecs 31536000
# indexes.conf
[db_audit]
homePath = $SPLUNK_DB/db_audit/db
coldPath = $SPLUNK_DB/db_audit/colddb
thawedPath = $SPLUNK_DB/db_audit/thaweddb
maxTotalDataSizeMB = 500000
frozenTimePeriodInSecs = 31536000
Create HEC Token
Create an HTTP Event Collector token for DB Audit to use.
# Create HEC token via Splunk CLI
splunk http-event-collector create dbaudit-token \
-uri https://localhost:8089 \
-auth admin:changeme
# Or via splunk.conf
[http://dbaudit]
disabled = 0
token = your-generated-token
index = db_audit
indexes = db_audit,security
sourcetype = dbaudit:events
Tip: You can also create HEC tokens via Splunk Web: Settings → Data inputs → HTTP Event Collector → New Token
Test HEC Endpoint
Verify the HEC endpoint is accessible and the token is valid.
# Test HEC endpoint with curl
curl -k "https://splunk.example.com:8088/services/collector/event" \
-H "Authorization: Splunk YOUR_HEC_TOKEN" \
-d '{"event": "test event from dbaudit"}'
# Expected response
{"text":"Success","code":0}
Configure in DB Audit
Add the Splunk integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Splunk as the provider
- Enter your HEC URL and token
- Configure index and sourcetype settings
- Select event types to forward
- Test the connection and save
Event Format
Events are sent to Splunk in HEC JSON format with all audit data nested under the "event" field.
{
"time": 1705312245.123,
"host": "dbaudit-server",
"source": "dbaudit",
"sourcetype": "dbaudit:events",
"index": "db_audit",
"event": {
"timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source": {
"database": "production-postgres",
"db_type": "postgresql"
},
"actor": {
"user": "app_user",
"client_ip": "10.0.1.50"
},
"action": {
"type": "SELECT",
"object": "customers",
"statement": "SELECT * FROM customers WHERE..."
}
}
}
Sample Splunk Searches
Use these SPL queries to analyze DB Audit events in Splunk.
# Search DB Audit events in Splunk
index=db_audit sourcetype=dbaudit:events
# Filter by severity
index=db_audit sourcetype=dbaudit:events severity=critical
# Find suspicious queries
index=db_audit sourcetype=dbaudit:events
| where action.type="SELECT" AND action.rows_affected > 10000
# User activity analysis
index=db_audit sourcetype=dbaudit:events
| stats count by actor.user, source.database
| sort - count
# Failed authentication attempts
index=db_audit sourcetype=dbaudit:events event_type="auth_failure"
| timechart count by actor.client_ip
Troubleshooting
HEC connection refused
Ensure HEC is enabled in Splunk and the correct port (usually 8088) is accessible.
# Check HEC status
splunk show http-event-collector-status
Invalid token error
Verify the HEC token is correct and not disabled. Check token permissions for the target index.
Events not appearing in index
Check that the HEC token has permission to write to the specified index, and verify the index exists.
SSL certificate error
Either configure the proper CA certificate in DB Audit, or set verify_ssl to false (not recommended for production).
Ready to Integrate with Splunk?
Start forwarding database audit events to Splunk in minutes.