diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx index 9734d2e9b33c2b0..f076d965bf3bcc4 100644 --- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx +++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx @@ -8,7 +8,7 @@ head: content: Enable Logpush to Splunk --- -import { Render, APIRequest } from "~/components"; +import { Render, APIRequest, Tabs, TabItem, DashButton } from "~/components"; The [HTTP Event Collector (HEC)](https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/) is a reliable method to receive data from Splunk Enterprise or Splunk Cloud Platform. Cloudflare Logpush supports pushing logs directly to Splunk HEC via the Cloudflare dashboard or API. @@ -177,31 +177,66 @@ Refer to the [Logpush FAQ](/logs/faq/logpush/) for troubleshooting information. ### 3. Create WAF custom rule for Splunk HEC endpoint (optional) -If your logpush destination hostname is proxied through Cloudflare, and you have the Cloudflare Web Application Firewall (WAF) turned on, you may be challenged or blocked when Cloudflare makes a request to Splunk HTTP Event Collector (HEC). To make sure this does not happen, you have to create a WAF custom rule that allows Cloudflare to bypass the HEC endpoint. +If your logpush destination hostname is proxied through Cloudflare, and you have the Cloudflare Web Application Firewall (WAF) turned on, you may be challenged or blocked when Cloudflare makes a request to Splunk HTTP Event Collector (HEC). To make sure this does not happen, you have to create a [custom rule](/waf/custom-rules/) that allows Cloudflare to bypass the HEC endpoint. + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. Go to **Security** > **WAF** > **Custom rules**. 2. Select **Create rule** and enter a descriptive name for it (for example, `Splunk`). 3. Under **When incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input: -| Field | Operator | Value | -| ---------------- | ---------- | --------------------------------------------------------------------- | -| Request Method | `equals` | `POST` | -| Hostname | `equals` | Your Splunk endpoint hostname. For example: `splunk.cf-analytics.com` | -| URI Path | `equals` | `/services/collector/raw` | -| URI Query String | `contains` | `channel` | -| AS Num | `equals` | `132892` | -| User Agent | `equals` | `Go-http-client/2.0` | + | Field | Operator | Value | + | ---------------- | ---------- | --------------------------------------------------------------------- | + | Request Method | `equals` | `POST` | + | Hostname | `equals` | Your Splunk endpoint hostname. For example: `splunk.cf-analytics.com` | + | URI Path | `equals` | `/services/collector/raw` | + | URI Query String | `contains` | `channel` | + | AS Num | `equals` | `132892` | + | User Agent | `equals` | `Go-http-client/2.0` | 4. After inputting the values as shown in the table, you should have an Expression Preview with the values you added for your specific rule. The example below reflects the hostname `splunk.cf-analytics.com`. -```txt -(http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0") -``` + ```txt + (http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0") + ``` 5. Under the **Then** > **Choose an action** dropdown, select _Skip_. 6. Under **WAF components to skip**, select _All managed rules_. 7. Select **Deploy**. + + +1. In the Cloudflare dashboard, go to the **Security rules** page. + + + +2. Select **Create rule** > **Custom rules**. + +3. Enter a descriptive name for the rule (for example, `Splunk`). + +4. Under **When incoming requests match**, use the **Field**, **Operator**, and **Value** dropdowns to create a rule. After finishing each row, select **And** to create the next row of rules. Refer to the table below for the values you should input: + + | Field | Operator | Value | + | ---------------- | ---------- | --------------------------------------------------------------------- | + | Request Method | `equals` | `POST` | + | Hostname | `equals` | Your Splunk endpoint hostname. For example: `splunk.cf-analytics.com` | + | URI Path | `equals` | `/services/collector/raw` | + | URI Query String | `contains` | `channel` | + | AS Num | `equals` | `132892` | + | User Agent | `equals` | `Go-http-client/2.0` | + +5. After inputting the values as shown in the table, you should have an Expression Preview with the values you added for your specific rule. The example below reflects the hostname `splunk.cf-analytics.com`. + + ```txt + (http.request.method eq "POST" and http.host eq "splunk.cf-analytics.com" and http.request.uri.path eq "/services/collector/raw" and http.request.uri.query contains "channel" and ip.src.asnum eq 132892 and http.user_agent eq "Go-http-client/2.0") + ``` + +6. Under the **Then** > **Choose an action** dropdown, select _Skip_. +7. Under **WAF components to skip**, select _All managed rules_. +8. Select **Deploy**. + + + The WAF should now ignore requests made to Splunk HEC by Cloudflare. :::note