Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs

UniFi Identity Enterprise - Integration with Splunk

UniFi Identity Enterprise allows system log storage for up to 30 days (Basic Plan) and 90 days (Standard Plan). To extend the retention period for your system logs, you can integrate Identity Enterprise with Splunk for analyzing system logs using the Splunk platform.

Use HTTP Event Collector in Splunk Web

The HTTP Event Collector (HEC) securely sends data to Splunk over HTTP/HTTPS using token-based authentication, removing the need for a forwarder or embedded credentials. Available on both Splunk Cloud Platform and on-premises Splunk Enterprise, HEC simplifies data transmission for applications. See Splunk's article on setting up and using HEC in Splunk web for details.

To send Identity Enterprise data to HEC, you must satisfy all of the following conditions first:

  • HEC must be enabled.
  • You must use an active token to authenticate into HEC.
  • For Splunk Enterprise, ensure that the Splunk Enterprise hosted server's IP address and HEC port (default: 8088) are exposed to the Internet, allowing Identity Enterprise delivery requests to reach.

For security reasons, we are unable to provide the host address to users. Since the Eventhook service allows users to customize headers, we recommend the following steps to ensure secure access:

  • Allow all AWS IP ranges to ensure the service can function without specific host information.
  • Use a token in the header for authentication to add an extra layer of security to your requests.

See AWS IP address ranges to reference the AWS IP ranges.

Obtain the Splunk Token​

  1. Sign in to your Splunk account and go to Settings > Data inputs.
  2. Click HTTP Event Collector > New Token.
  3. Specify a name (e.g., Identity Enterprise) and click Next.
    • Note: Disable the Enable Indexer Acknowledgement option. This setting requires the client to wait for Splunk to confirm that an event has been indexed, which is not currently supported by Identity Enterprise.
  4. In the Source name override field, enter a name for a source to be assigned to events that Identity Enterprise generates.
  5. In the Description field, enter a description for the input.
  6. Enabling index acknowledgment is currently unsupported. Please leave it unchecked and click Next.
  7. Edit the source type and confirm the index to store HEC events. See Modify input settings.
  8. Click Review > Submit.
  9. Copy the token value for later use.

Learn more about Setting up and Using HTTP Event Collector in Splunk Web

Connect Identity Enterprise to Splunk

  1. Go to your Identity Enterprise Manager > Lab > Integration > Third-Party App > Splunk.
  2. Click Connect.
  3. Enter your Splunk URL. For example:
    • Splunk Cloud: https://<instancename>.splunkcloud.com:8088/services/collector/event
    • Splunk Enterprise: https://{host}:8088/services/collector/event
  4. Paste the token copied from Splunk and click Connect.
  5. If the connection fails, you can tick the Verify the TLS certificate of the Splunk instances checkbox and click Connect. Learn more about troubleshooting TLS connections
  6. After connecting Identity Enterprise to Splunk, you can:
    1. Configure Splunk settings.
    2. Use your Identity Enterprise data to create dashboards, reports, and alerts in the Splunk platform. To filter Identity Enterprise logs on the Splunk platform, go to Home > Search & Reporting and enter "source: Identity Enterprise" to view the logs.  

Configure Splunk Integration Settings

  1. Tick the Sync Identity Enterprise system logs to Splunk at a specific time checkbox and select a time when the Identity Enterprise system logs will be synced to Splunk. If it is disabled, the system logs will be synced once Identity Enterprise is connected to Splunk.
  2. Go to Event Category and select which category’s system logs to sync to Splunk. Note: Currently, Identity Enterprise only supports syncing the system logs of the categories listed below.

Deactivate or Remove Splunk

  • After deactivation, the Identity Enterprise system will stop syncing with Splunk. 
  • Splunk must be deactivated before it can be removed. Once removed, it will no longer appear in the Identity Enterprise interface, requiring reconfiguration if you need to use it again.
  1. Go to your Identity Enterprise Manager > Lab > Integration > Third-Party App > Splunk.
  2. Click Manage.
  3. Scroll down to Manage and click Deactivate or Remove.
Was this article helpful?