# Splunk HEC Integration

Configure LinuxGuard to forward security signals to Splunk using the HTTP Event Collector (HEC).

## Prerequisites

* Access to the LinuxGuard console with administrator role
* A Splunk HEC token with write access to the target index
* Splunk HEC endpoint accessible from the LinuxGuard backend (host and port confirmed)

## Configure a Splunk HEC Destination

1. In the LinuxGuard console, navigate to **Settings** > **Integrations** > **Splunk HEC**.
2. Select **Add Destination**.
3. Enter the **Host**: your Splunk hostname or IP address.
4. Enter the **Port**: the HEC listener port (default: `8088`).
5. Enter the **Token**: your Splunk HEC token.

LinuxGuard sends events to `https://{host}:{port}/services/collector/event` and authenticates using the `Authorization` header:

```
Authorization: Splunk <HEC_TOKEN>
```

6. Select **Create**.

## Sourcetype and Index

LinuxGuard uses the following defaults for all delivered events. All fields are configurable.

| Field        | Default             | Notes                                                          |
| ------------ | ------------------- | -------------------------------------------------------------- |
| `sourcetype` | `linuxguard:signal` | Recommended — keep the default to simplify SIEM search queries |
| `source`     | `linuxguard`        | Identifies the sending application                             |
| `index`      | `main`              | Change to your preferred index if needed                       |

## Event Schema

Each event is delivered in Splunk HEC JSON format with a wrapper object and a flat event payload.

```json
{
  "time": 1740923521,
  "host": "web-01",
  "source": "linuxguard",
  "sourcetype": "linuxguard:signal",
  "index": "main",
  "event": {
    "tenant_id": "<TENANT_ID>",
    "signal_type": "sudo_command_executed",
    "signal_id": "sig_abc123",
    "severity": 4,
    "description": "Sudo command executed",
    "identity_name": "jsmith",
    "identity_type": "user",
    "server_hostname": "web-01",
    "server_id": "srv_xyz",
    "environment": "production",
    "category": "privilege_escalation",
    "created_at": "2026-03-02T14:31:58Z"
  }
}
```

**Event fields** (fields inside `event`):

| Field             | Type    | Description                                    |
| ----------------- | ------- | ---------------------------------------------- |
| `tenant_id`       | string  | Your tenant identifier                         |
| `signal_type`     | string  | Signal type (e.g., `sudo_command_executed`)    |
| `signal_id`       | string  | Unique signal identifier                       |
| `severity`        | integer | Signal severity: 1 (info) to 5 (critical)      |
| `description`     | string  | Human-readable signal description              |
| `identity_name`   | string  | Username or service account name               |
| `identity_type`   | string  | `user` or `service_account`                    |
| `server_hostname` | string  | Hostname of the reporting server               |
| `server_id`       | string  | Server identifier                              |
| `environment`     | string  | Agent environment tag                          |
| `category`        | string  | Signal category (e.g., `privilege_escalation`) |
| `created_at`      | string  | ISO 8601 timestamp when the signal was created |

## TLS Configuration

By default, LinuxGuard verifies the Splunk HEC server certificate. If your Splunk instance uses a non-standard certificate, use one of the following options:

* **Internal CA or self-signed certificate (recommended)**: Provide the `ca_cert` path — LinuxGuard will trust the specified CA certificate.
* **Disable TLS verification (not recommended for production)**: Set `tls_verify: false`.

***

**Related**: [Alerting & SIEM Integration](/explanation/explanation/alerting.md) | [Configure Notification Rules](/how-to-guides/how-to/configure-notification-rules.md) | [Webhook Integration](/how-to-guides/how-to/configure-notification-rules/webhook-integration.md) | [Syslog Forwarding](/how-to-guides/how-to/configure-notification-rules/syslog-forwarding.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.linuxguard.io/how-to-guides/how-to/configure-notification-rules/splunk-hec-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.