Tanium Audit Logs flowing to Splunk Cloud via Tanium Connect

From RiceFamily Wiki
Revision as of 14:40, 11 December 2024 by Rice0009 (Talk | contribs)

Jump to: navigation, search

We have configured Tanium to send it's Audit logs to Splunk.

  • Tanium Cloud to Splunk Cloud uses HTTP as it's Destination
    • Had to configure Splunk to allow the Egress IP's from Tanium and configure Tanium Cloud to allow the outbound traffic to the Splunk Cloud URL.
  • The Splunk Cloud URL needed to end in /raw in the Tanium Connect document.
  • The Secret Key has to be entered every time you edit the Tanium Connect Document. That gets frustrating after a few edits!
  • Data format is JSON
  • Default Row Delimiter is "/n"
  • We got hung up on the URL needing to end in /raw.
    • We were getting 400 Errors.
  • If you are having problems with your connection, under the General Information section there is an Advanced section. Open Advanced and select Override Log Level. Set it to Trace and set it for 2 or 3 runs while you test. It will turn off the Trace logging after the designated number of runs and you will need to turn it back on if you need more. This will give you a lot more detail in the connection attempt logs.

In order to take advantage of the Splunk App in Tanium, we need to send additional data. I'm not seeing much detailed documentation about the Splunk App, so I'll update things here as we work them out.