Splunk HEC Integration

Send LinuxGuard security signals to Splunk via the HTTP Event Collector with token authentication and index targeting.

Configure LinuxGuard to forward security signals to Splunk using the HTTP Event Collector (HEC).

Prerequisites

Access to the LinuxGuard console with administrator role
A Splunk HEC token with write access to the target index
Splunk HEC endpoint accessible from the LinuxGuard backend (host and port confirmed)

Configure a Splunk HEC Destination

In the LinuxGuard console, navigate to Settings > Integrations > Splunk HEC.
Select Add Destination.
Enter the Host: your Splunk hostname or IP address.
Enter the Port: the HEC listener port (default: 8088).
Enter the Token: your Splunk HEC token.

LinuxGuard sends events to https://{host}:{port}/services/collector/event and authenticates using the Authorization header:

Authorization: Splunk <HEC_TOKEN>

Select Create.

Sourcetype and Index

LinuxGuard uses the following defaults for all delivered events. All fields are configurable.

Field

Default

Notes

sourcetype

linuxguard:signal

Recommended — keep the default to simplify SIEM search queries

source

linuxguard

Identifies the sending application

index

main

Change to your preferred index if needed

Event Schema

Each event is delivered in Splunk HEC JSON format with a wrapper object and a flat event payload.

{
  "time": 1740923521,
  "host": "web-01",
  "source": "linuxguard",
  "sourcetype": "linuxguard:signal",
  "index": "main",
  "event": {
    "tenant_id": "<TENANT_ID>",
    "signal_type": "sudo_command_executed",
    "signal_id": "sig_abc123",
    "severity": 4,
    "description": "Sudo command executed",
    "identity_name": "jsmith",
    "identity_type": "user",
    "server_hostname": "web-01",
    "server_id": "srv_xyz",
    "environment": "production",
    "category": "privilege_escalation",
    "created_at": "2026-03-02T14:31:58Z"
  }
}

Event fields (fields inside event):

Field

Type

Description

tenant_id

string

Your tenant identifier

signal_type

string

Signal type (e.g., sudo_command_executed)

signal_id

string

Unique signal identifier

severity

integer

Signal severity: 1 (info) to 5 (critical)

description

string

Human-readable signal description

identity_name

string

Username or service account name

identity_type

string

user or service_account

server_hostname

string

Hostname of the reporting server

server_id

string

Server identifier

environment

string

Agent environment tag

category

string

Signal category (e.g., privilege_escalation)

created_at

string

ISO 8601 timestamp when the signal was created

TLS Configuration

By default, LinuxGuard verifies the Splunk HEC server certificate. If your Splunk instance uses a non-standard certificate, use one of the following options:

Internal CA or self-signed certificate (recommended): Provide the ca_cert path — LinuxGuard will trust the specified CA certificate.
Disable TLS verification (not recommended for production): Set tls_verify: false.

PreviousSyslog Forwarding NextAudit & Comply

Last updated 4 days ago

Was this helpful?