Splunk

Audit events can be forwarded from Conjur directly into Splunk. Splunk reads the event and parses every field. This allows you to set up alerts for specific events that occur inside Conjur.

For example, an alert can be sent directly to the security team if a user repeatedly tries to fetch a secret for which they don't have access.

Setup

Splunk Cloud was used for this procedure, but the same steps work for any recent version of Splunk.

1. Mount the audit messages file (Docker only)

Audit messages in JSON are written to the file /var/log/conjur/audit.json inside the Conjur Server. This file has a new line separating each audit event.

To make this file available for forwarding, its directory must be mounted to the host running in the Conjur container.

 
$ docker run -d \
    --restart always \
    --name conjur-appliance \
    -p "443:443" \
    -p "5432:5432" \
    -p "1999:1999" \
    -v /var/log/conjur:/var/log/conjur:Z \
    conjur-appliance

After initializing the container, you should see the file /var/log/conjur/audit.json on the host that is running the Conjur Server.

2. Point a universal forwarder to the file

Follow the instructions in the Splunk documentation to install and configure a universal forwarder on the Conjur Leader. Configuration management or a separately-linked container can be used to automate this step.

3. Configure forwarding in the Splunk UI

Once the forwarder is set up, the remaining configuration can be done in the Splunk UI.

  1. Select Settings > Add Data from the top menu bar and select Forward:

  2. If the forwarder is configured and running, you see a host in the list on the following page. Choose this host and add it to a server class ('conjur' is a good class name).

  3. On the next screen, select Files and Directories in the sidebar and set Splunk to follow the file /var/log/conjur/audit.json.

  4. Since the file is in JSON format, choose _json as the source type on the next screen. Choose the index you want to use.

  5. Finally, review the settings and submit changes.

    In a short time, you will see Conjur audit events in your Splunk search dashboard.