Documentation

Splunk

Suggest Edits

What is Splunk?

Splunk Cloud and Splunk Enterprise are security information and event management (SIEM) tools that can be configured in EPM Cloud for Linux to receive event log and I/O logs data from EPM-L.

Note that, at present, the IO log data sent to Splunk Cloud only includes the standard output sent by the secured task. We expect to include standard input and standard error data in subsequent versions.

How is it useful?

Export your events information to Splunk, to have a single source of event information for large-scale analysis, piping to an EDR/XDR system or to your SOC.

Two Splunk indexes are provided in this implementation. EPM-L will send event log and IO log data. The default index names:

  • beyondtrust-epml-ecs-eventlog for event logs
  • beyondtrust-epml-ecs-iolog for IO logs

The index names cannot be changed.

After the Splunk connection is set up in EPM-L, events are collected and can be viewed using the unified search feature.

Settings

siemcreddb

The name of the database file in which the Splunk credentials will be stored. The default is

/opt/pbul/dbs/pbsiemcred.db

siemcafile

The name of the optional Certificate Authority file used to initiate a secure HTTPS connection to the Splunk Enterprise or Cloud instance. There is no default value.

siemcertfile

The name of the optional certificate file used in a secure HTTPS connection. There is no default value.

siemkeyfile

The name of the optional key file used in a secure HTTPS connection. There is also no default value.

siemdeliverytimeout

This is used to specify the CURLOPT_TIMEOUT value, in seconds, associated with a libcurl-based connection to a Splunk instance. The default is 30.

sieminstances

One or more IDs to which events and IO logs will be delivered:

sieminstances cloud

siemdatatypes

Specify eventlog, iolog or both:

siemdatatypes eventlog iolog

siemoptions

Specify bulk insert options batchsize and usebulkapi, e.g.,

siemdoptions batchsize=10 usebulkapi

Note that usebulkapi, if included, specifies whether to forward multiple records in a single send that the message router failed to transfer initially. If usebulkapi is specified, then batchsize (default is 10), specifies the number of records that should be included in that send. Also note that siemoptions is not set by default.

siemiologfieldsizekb

Used to specify, in kilobytes, the amount of IO log data to send within a single part, via the IO log part mechanism for sending large IO logs in multiple parts to a destination. The default is 1024, and the range is from 8 to 65536.

siemiologfieldsizekb 1024

siemiologfieldsizekb 1024

Updated 2 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.