General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

cmdReporter to Splunk HTTPS Event Collector

Daniel Griggs

Modified on: Tue, 19 Nov, 2019 at 12:32 PM

Overview

This article describes the preference keys and server-side configuration that is required to have cmdReporter send collected events directly to a Splunk server via it's HTTPS connection.

cmdReporter Preference Configuration

The following preferences configure the transmission of log data to Splunk's HTTP Event Collector.

Note: the HTTP Event Collector works best when cmdReporter sends it raw JSON data. Be sure to add the "/services/collector/raw" to the end of the URL.

<key>LogRemoteEndpointEnabled</key>
<true/>
<key>LogRemoteEndpointURL</key>
<string>https://company.splunk.server:($PORT)/services/collector/raw</string>
<key>LogRemoteEndpointType</key>
<string>Splunk</string>
<key>LogRemoteEndpointREST</key>
<dict>
  <key>PublicKeyHash</key>
  <string>(HTTP_Event_Collector_Token_Value)</string>
</dict>

Splunk-side Configurations

Prerequisites: Install the cmdReporter Splunk TA available at: https://splunkbase.splunk.com/app/4722/

1) Create a new HTTPS input in the web GUI by navigating to Settings/Data Inputs/HTTP Event Collector/New Token

2) Follow the prompts and assign the new input a sourcetype of "cmdreporter" and default index where you will store your macOS security logs.

3) Follow the rest of the prompts and make sure your final settings match these

4) Copy the token value at the HTTP Event Collector main page for use in the cmdReporter configuration profile