UniFi Identity Enterprise - Integration with Splunk

UniFi Identity Enterprise allows system log storage for up to 30 days (Basic Plan) and 90 days (Standard Plan). To extend the retention period for your system logs, you can integrate Identity Enterprise with Splunk for analyzing system logs using the Splunk platform.

Obtain the Splunk Token​

  1. Sign in to your Splunk account and go to Settings > Data inputs.
  2. Click HTTP Event Collector > New Token.
  3. Specify a name (e.g., Identity Enterprise) and click Next.
  4. In the Source name override field, enter a name for a source to be assigned to events that Identity Enterprise generates.
  5. In the Description field, enter a description for the input.
  6. Enabling index acknowledgment is currently unsupported. Please leave it unchecked and click Next.
  7. Edit the source type and confirm the index to store HEC events. See Modify input settings.
  8. Click Review > Submit.
  9. Copy the token value for later use.

Learn more about Setting up and Using HTTP Event Collector in Splunk Web

Connect Identity Enterprise to Splunk

  1. Go to your Identity Enterprise Manager > Lab > Integration > Third-Party App > Splunk.
  2. Click Connect.
  3. Enter your Splunk URL (e.g., https://<instancename>.splunkcloud.com:8088/services/collector/event).
  4. Paste the token copied from Splunk and click Connect.
  5. If the connection fails, you can tick the Verify the TLS certificate of the Splunk instances checkbox and click Connect. Learn more about troubleshooting TLS connections
  6. After connecting Identity Enterprise to Splunk, you can:
    1. Configure Splunk settings.
    2. Use your Identity Enterprise data to create dashboards, reports, and alerts in the Splunk platform.

Configure Splunk Integration Settings

  1. Tick the Sync Identity Enterprise system logs to Splunk at a specific time checkbox and select a time when the Identity Enterprise system logs will be synced to Splunk. If it is disabled, the system logs will be synced once Identity Enterprise is connected to Splunk.
  2. Go to Event Category and select which category’s system logs to sync to Splunk. Note: Currently, Identity Enterprise only supports syncing the system logs of the categories listed below.

Deactivate or Remove Splunk

  • After deactivation, the Identity Enterprise system will stop syncing with Splunk. 
  • Splunk must be deactivated before it can be removed. Once removed, it will no longer appear in the Identity Enterprise interface, requiring reconfiguration if you need to use it again.
  1. Go to your Identity Enterprise Manager > Lab > Integration > Third-Party App > Splunk.
  2. Click Manage.
  3. Scroll down to Manage and click Deactivate or Remove.
Was this article helpful?
0 out of 0 found this helpful