Audit Log Ingestion Guide

TrustX to Splunk Cloud

TrustX application logs can be received into a security information and event management (SIEM) system using the TrustX API and Splunk Cloud. This guide will describe the necessary steps to ingest TrustX audit logs into Splunk Cloud using a Python script and HTTP Event Collector (HEC). The script pulls logs via the TrustX API and pushes them to Splunk.

Step 1 - Generate API Key in TrustX

In this section, an API key with the necessary permissions will be generated in the TrustX Backoffice.

1. Log in to the TrustX Backoffice and navigate to the API Keys page found in the left-side vertical navigation bar.
2. Click the 'New API Key' button to create a new API Key.

Configure the API Key such that the Type is Permanent and includes the following permissions:

• TNT#<your tenant>#MetricsServer:startAuditQuery
• TNT#<your tenant>#MetricsServer:getAuditQueryStatus
• TNT#<your tenant>#MetricsServer:getAuditQueryResults

Example:

3. Click the 'Save' button to finalize the API key creation.

Step 2 - Configure Splunk Cloud

This step will describe the configurations in Splunk Cloud to create a dedicated index for TrustX and a HTTP Event Collector (HEC) token.

Step 2.1 Create a Dedicated Index

1. Log in to the Splunk Cloud dashboard and navigate to Settings > Indexes > New Index.
2. Name the new index "trustx".

2.2 Create HEC Token

1. Navigate to Settings > Data Inputs > HTTP Event Collector > New Token.

2. Set the name and index accordingly:

   1. Name: "trustx"
   2. Index: "trustx"

Step 3 - Configure the Script

This section will describe configuring the .env file to include the keys created in Steps 1 and 2 of this guide.

1. Edit your .env configuration file to include the following:

TRUSTX_API_KEY=<paste your TrustX API key secret here>

TRUSTX_TENANT_HOST=<your_tenant>.oak.trustx.com

SPLUNK_URL=https://http-inputs-<your_tenant>.splunkcloud.com:443/services/collector

SPLUNK_HEC_TOKEN=<paste your Splunk HEC token here>

2. To find your TrustX API key secret, navigate to the API Keys page in the TrustX Backoffice.
3. Find the API Key created in Step 1 and select the magnifying glass under the 'Actions' column.
4. Click the 'eye' icon to show the API secret.

5. Place the “trustx_ingest” directory in /opt/splunk/bin/scripts/ on Splunk Heavy Forwarder (make sure that script is executable and that host can reach both TrustX Backoffice and Splunk Cloud).
6. Schedule the script to run every 10 minutes.

Example:

crontab -e

*/10 * * * * /usr/bin/python3 /opt/splunk/bin/scripts/trustx_ingest/trustx.py >> /var/log/trustx.log 2>&1

Step 4 - Validate Ingestion in Splunk

This step will describe how to view the ingested reports in Splunk.

1. Navigate to the Search & Reporting page in Splunk.
2. Run the following search query: index=trustx
3. The audit events from TrustX will be returned in the output of the search query.