cmdReporter Wiki

Open navigation

cmdReporter Splunk HTTPS Input Configuration

Overview

This article describes the preference keys and server-side configuration that is required to have cmdReporter send collected events directly to a Splunk server via it's HTTPS connection.


cmdReporter Preference Configuration

The following preferences configure the transmission of log data to Splunk's HTTP Event Collector.


Note: the HTTP Event Collector works best when cmdReporter sends it raw JSON data. Be sure to add the "/services/collector/raw" to the end of the URL.

<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>https://company.splunk.server:($PORT)/services/collector/raw</string>
<key>LogRemoteEndpointType</key>
<string>Splunk</string>
<key>LogRemoteEndpointREST</key>
<dict>
  <key>PublicKeyHash</key>
  <string>(HTTP_Event_Collector_Token_Value)</string>
</dict>


Splunk-side Configurations

Prerequisites: Install the cmdReporter Splunk TA available at: https://splunkbase.splunk.com/app/4722/


1) Create a new HTTPS input in the web GUI by navigating to Settings/Data Inputs/HTTP Event Collector/New Token


2) Follow the prompts and assign the new input a sourcetype of "cmdreporter" and default index where you will store your macOS security logs.


3) Follow the rest of the prompts and make sure your final settings match these


4) Copy the token value at the HTTP Event Collector main page for use in the cmdReporter configuration profile











Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.